140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896

General

Target

5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Size

497KB
MD5

5be6e2c83e2ed19e4b2c9ea83b734860
SHA1

f1e4b6ef5b36d2098b652fd2ee5c2bad936ef7dc
SHA256

140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896
SHA512

c051251bb6d8dd4e79aaa50f1a7450e3954c2168ebd68c3589cb2a03c24183d1c920925aa4727609aa2b1924f2ff9a48379273084b44755916bd9d011b140f03
SSDEEP

6144:yiNjjdOCJnUNKMEPDGeoo1HyisWW4g0QTxbGctE6Jm20tdVgWwAidpNCgrBF:TjjwULQoN84XQT08JoVgWwAkAQ

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002346a-20.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2428	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
3984	Regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CCLGYY.EXE = "C:\\Users\\svchost.exe"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\G:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\I:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\N:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\P:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\R:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\S:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\U:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\H:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\K:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\M:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\Q:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\T:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\V:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\E:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\J:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File opened (read-only)	\??\L:	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCLGYY.EXE	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
File created	C:\Windows\SysWOW64\Ms7002.dll	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\CCLGYY.EXE \"%1\""	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\CCLGYY.EXE"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\CCLGYY.EXE \"%1\""	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\CCLGYY.EXE %1"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\VQH.EXE %1"	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe
2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2428	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3984	2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	87
PID 2508 wrote to memory of 3984	2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	87
PID 2508 wrote to memory of 3984	2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	87
PID 2508 wrote to memory of 2428	2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	88
PID 2508 wrote to memory of 2428	2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	88
PID 2508 wrote to memory of 2428	2508	5be6e2c83e2ed19e4b2c9ea83b734860N.exe	88

C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe
"C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3984
- C:\PerfLogs\svchost.exe
  C:\PerfLogs\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\svchost.exe

Filesize
497KB

MD5
a73e59c29dd7cb063c1b8abfa6850f09

SHA1
c82051f7cb6e3900dad881c316354338ac1a4692

SHA256
f9dad7643ee17f2f27dc1375aef425aa7eb5ae6d5345100b7d14d4424c11ffae

SHA512
9ad22e96477c9f2440a6864136c6d1174eb56b4d019df74978c65d2764ec0e984fd7b2b9c41e17527b7ef899a12a3c1b1a9a930c33a7e2fd76c975ab3d70ae37

Download Submit
C:\Users\CCLGYY.EXE

Filesize
497KB

MD5
4c88ef5b4caa97c36ffc6a3377e9765c

SHA1
7aa4ddf3a384286173d7f24ff0050343020c0c15

SHA256
22f6c7e7811a7e9496d754f22a520e5275b32453a83535a732c41ed99a15145e

SHA512
bdd6ebb85f069b5340781f9cb02cc18b972fb1794c664a4012351dd110139be84d9bb293fc2620fd65e95b9ff5256005f384402c0fdbb303d58debd116ed8473

Download Submit
C:\Windows\SysWOW64\Ms7002.dll

Filesize
52KB

MD5
876a2a99b81968f5b26e3cbe12063d2b

SHA1
7afa8f33b691b2651b65eb07220cc2fda4b7537c

SHA256
f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0

SHA512
ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

Download Submit
C:\filedebug

Filesize
205B

MD5
2f389f0dca36e22c0811db7d260f740c

SHA1
62077f3a13d559730db541c11f155079d37d5e0b

SHA256
9aa5af3786fe23809bdda6c6ac7b8fbe0ae20fc9da1c28b82bb9b7516ffae52b

SHA512
1e0457183b5bf9061311bfcb2c714f9d006ea4b71beff43e065426d1eddcb5f98991dbf9922586b9e59c36638956ff6491244816a8097d01f05a2a99eb0e9e1f

Download Submit
memory/2428-25-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2428-26-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2508-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads