Overview

overview

10

Static

static

3

aspyxia cs...и.txt

windows10-2004-x64

1

aspyxia cs...ia.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    aspyxia cs2.zip

  • Size

    8.8MB

  • Sample

    240802-q59lmaxcmj

  • MD5

    c15c304c1ecfb71c61d26c1504f7341c

  • SHA1

    565636a1953d712ccc318a35eb7efd700b288f79

  • SHA256

    3b2918b2a20fe71ed6bc43c410dfb3b29c1d17fc52e940d3326c0c9e99b7ee39

  • SHA512

    8c0a796badccdf29ec6f9f7adf805520b89370365f259ed4c56cc5709f522f492031ec1bb53833b415ac77496a35397c06a48b7b83bba748cf43c1d7084eb747

  • SSDEEP

    196608:MD5ektUw8dOuEOQQBsXVq4TXkTtieHFVdANEgNTSsjSOhd7Ccqx/UgC88g:k3KOBBO4TXkTkNPTSs+Ob768gCK

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistence

Malware Config

Targets

    • Target

      aspyxia cs2/!Read_Прочти.txt

    • Size

      528B

    • MD5

      7f91417e1849b7c949a694add4733101

    • SHA1

      43b35c642b2a744a29242259b9b7cd981f6dc205

    • SHA256

      30d5eaf14285a96d0b748e03e0fd80a3b9edda55b21c4b469baabd3096c9680d

    • SHA512

      8abea88e1caf39bb22fe7003ed607994f71f52c739fe4484ebeee5bba3397960a2ed70ebd8b7f50f15b8e807ea4fbd66c29e22be4d37e55e2a78da723959d579

    Score
    1/10
    behavioral1

    • Target

      aspyxia cs2/aspyxia.exe

    • Size

      8.8MB

    • MD5

      f021ccfabbad6889e548d13301f7e874

    • SHA1

      c09f050149c039559826dee51d471830fb2c218e

    • SHA256

      f18cce6e1f2899ce0f8e6b82cdbd4b474f695e8bb0d072c4e1935f94aad35fea

    • SHA512

      6bfd4ac85ccb22ae66a6802b56f21551973733958880efd948a07a9855894d24aaea3cfcdb48ccb19bbac7ad902be771c3335ce72e0f519c0aeee8d0e1df85e1

    • SSDEEP

      196608:5D5ektUw8dOuEOQQBsXVq4TXkTtieHFVdANEgNTSsjSOhd7Ccqx/UgC88:53KOBBO4TXkTkNPTSs+Ob768gC

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks