Overview
overview
7Static
static
3AspSWeb.exe
windows7-x64
7AspSWeb.exe
windows10-2004-x64
7_content/_...un.vbs
windows7-x64
1_content/_...un.vbs
windows10-2004-x64
1_content/_...pec.js
windows7-x64
3_content/_...pec.js
windows10-2004-x64
3_content/_...un.vbs
windows7-x64
1_content/_...un.vbs
windows10-2004-x64
1_expand/_s...cs.vbs
windows7-x64
1_expand/_s...cs.vbs
windows10-2004-x64
1about/index.asp
windows7-x64
3about/index.asp
windows10-2004-x64
3about/新�...��.url
windows7-x64
1about/新�...��.url
windows10-2004-x64
1admin/_adv...Add.js
windows7-x64
3admin/_adv...Add.js
windows10-2004-x64
3admin/_adv...dit.js
windows7-x64
3admin/_adv...dit.js
windows10-2004-x64
3admin/_adv...tDL.js
windows7-x64
3admin/_adv...tDL.js
windows10-2004-x64
3admin/_adv...tPF.js
windows7-x64
3admin/_adv...tPF.js
windows10-2004-x64
3admin/_adv...tTC.js
windows7-x64
3admin/_adv...tTC.js
windows10-2004-x64
3admin/_adv...un.vbs
windows7-x64
1admin/_adv...un.vbs
windows10-2004-x64
1admin/_adv...st.asp
windows7-x64
3admin/_adv...st.asp
windows10-2004-x64
3admin/_con...ut.asp
windows7-x64
3admin/_con...ut.asp
windows10-2004-x64
3admin/_con...dit.js
windows7-x64
3admin/_con...dit.js
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
AspSWeb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AspSWeb.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
_content/_Sort/AspCms_SortFun.vbs
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
_content/_Sort/AspCms_SortFun.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
_content/_Spec/AspCms_Spec.js
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
_content/_Spec/AspCms_Spec.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
_content/_Spec/AspCms_SpecFun.vbs
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
_content/_Spec/AspCms_SpecFun.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
_expand/_statistics/AspCms_Statistics.vbs
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
_expand/_statistics/AspCms_Statistics.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
about/index.asp
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
about/index.asp
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
about/新云软件.url
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
about/新云软件.url
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
admin/_adv/AspCms_AdvAdd.js
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
admin/_adv/AspCms_AdvAdd.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
admin/_adv/AspCms_AdvEdit.js
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
admin/_adv/AspCms_AdvEdit.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
admin/_adv/AspCms_AdvEditDL.js
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
admin/_adv/AspCms_AdvEditDL.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
admin/_adv/AspCms_AdvEditPF.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
admin/_adv/AspCms_AdvEditPF.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
admin/_adv/AspCms_AdvEditTC.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
admin/_adv/AspCms_AdvEditTC.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
admin/_adv/AspCms_AdvFun.vbs
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
admin/_adv/AspCms_AdvFun.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
admin/_adv/AspCms_AdvList.asp
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
admin/_adv/AspCms_AdvList.asp
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
admin/_content/_About/AspCms_About.asp
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
admin/_content/_About/AspCms_About.asp
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
admin/_content/_About/AspCms_AboutEdit.js
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
admin/_content/_About/AspCms_AboutEdit.js
Resource
win10v2004-20240802-en
General
-
Target
AspSWeb.exe
-
Size
688KB
-
MD5
3b12a13eedbe6e6816f3cb62baf8751a
-
SHA1
d02c4b830efa1cbce5ec39f71a2290a4d9ccb7e9
-
SHA256
e6a580c6ed95ffb1a29f4a862370db60ea2295d75e3100b987196361f403d187
-
SHA512
071220c5c2d6d05fb79ae96a48069a18a698d983adef7f588ce7672dc16a380f1e180ba167d1c66bef76f5dc770bab3f66244d87f41d944252f69be919350cec
-
SSDEEP
12288:7/JFZqYMOaQ0q9nV/zsnK23KHVI6nodVdyMLiqyVcxwtVxgpMiuzOT6:7BFZqhOBnVyK23C6OoYMLiVcKtVx4Mij
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2588 TMPNB28.tmp -
Loads dropped DLL 2 IoCs
pid Process 2776 AspSWeb.exe 2776 AspSWeb.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: TMPNB28.tmp File opened (read-only) \??\p: TMPNB28.tmp File opened (read-only) \??\q: TMPNB28.tmp File opened (read-only) \??\r: TMPNB28.tmp File opened (read-only) \??\x: TMPNB28.tmp File opened (read-only) \??\a: TMPNB28.tmp File opened (read-only) \??\g: TMPNB28.tmp File opened (read-only) \??\i: TMPNB28.tmp File opened (read-only) \??\w: TMPNB28.tmp File opened (read-only) \??\j: TMPNB28.tmp File opened (read-only) \??\l: TMPNB28.tmp File opened (read-only) \??\o: TMPNB28.tmp File opened (read-only) \??\u: TMPNB28.tmp File opened (read-only) \??\v: TMPNB28.tmp File opened (read-only) \??\e: TMPNB28.tmp File opened (read-only) \??\h: TMPNB28.tmp File opened (read-only) \??\n: TMPNB28.tmp File opened (read-only) \??\s: TMPNB28.tmp File opened (read-only) \??\t: TMPNB28.tmp File opened (read-only) \??\y: TMPNB28.tmp File opened (read-only) \??\z: TMPNB28.tmp File opened (read-only) \??\b: TMPNB28.tmp File opened (read-only) \??\k: TMPNB28.tmp -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 TMPNB28.tmp -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\TMPNB28.tmp AspSWeb.exe File opened for modification C:\Windows\SysWOW64\TMPNB28.tmp AspSWeb.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TMPNB28.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AspSWeb.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2688 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2588 TMPNB28.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2776 AspSWeb.exe Token: SeDebugPrivilege 2688 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2776 AspSWeb.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2776 AspSWeb.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2776 AspSWeb.exe 2588 TMPNB28.tmp 2588 TMPNB28.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2836 2776 AspSWeb.exe 30 PID 2776 wrote to memory of 2836 2776 AspSWeb.exe 30 PID 2776 wrote to memory of 2836 2776 AspSWeb.exe 30 PID 2776 wrote to memory of 2836 2776 AspSWeb.exe 30 PID 2836 wrote to memory of 2688 2836 cmd.exe 32 PID 2836 wrote to memory of 2688 2836 cmd.exe 32 PID 2836 wrote to memory of 2688 2836 cmd.exe 32 PID 2836 wrote to memory of 2688 2836 cmd.exe 32 PID 2776 wrote to memory of 2588 2776 AspSWeb.exe 33 PID 2776 wrote to memory of 2588 2776 AspSWeb.exe 33 PID 2776 wrote to memory of 2588 2776 AspSWeb.exe 33 PID 2776 wrote to memory of 2588 2776 AspSWeb.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\AspSWeb.exe"C:\Users\Admin\AppData\Local\Temp\AspSWeb.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c netstat /na2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat /na3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
-
C:\Windows\SysWOW64\TMPNB28.tmpC:\Windows\system32\TMPNB28.tmp -run C:\Users\Admin\AppData\Local\Temp\nb28.tmp2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b9fabc9c8a8024d47651300032402d96
SHA1f974e93bc3352b1e042ebdc6327cdc41e92d7ced
SHA256e310a45cf5bda24644736a30880f1c2af8c3714831f14c25365ae12c30432a78
SHA5126273d041544cf6c044d8b0fb19805fb8e407523de1b69af8ee77d80a7271cacab8abd752dd99351e7593388c87c0c94591f788c946343dfbd19436b431a9f7c4
-
Filesize
633KB
MD53545fd00d2ba6c1c192b05bd75aa1f4f
SHA130fa4c33d66a073113d9d971baae38120d320601
SHA256d6272081522372d09a11ca7c0825b8c6a743ba02b450cea1402c03a05f3e2159
SHA512ab79f44e7c428ea0434bced04256174a7d87131ddef2488a71ca67e242bce9676cb88830779aa0a0c3d5b12e097bd32bb99a87c12a248329d9c8a52d777a1c85