Overview

overview

7

Static

static

3

363d6cf199...67.exe

windows7-x64

7

363d6cf199...67.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 20:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    363d6cf199c3821ab56f0a93639398d4b82f98eec2bd9f7e69b0234bf9c69967.exe

  • Size

    474KB

  • MD5

    fa95f30ec75014848d0a5fe493340b12

  • SHA1

    a2a9c0ff3dd4f3bffd26143fdf91ec578b841e46

  • SHA256

    363d6cf199c3821ab56f0a93639398d4b82f98eec2bd9f7e69b0234bf9c69967

  • SHA512

    a8e5652b8466a69b39f2f601695f526bcf734283fca0f3e6be12297000aeb073f1974e49eb5743b8579889f123f48ea62c9789bd60a83ed326dc132ac9957f58

  • SSDEEP

    3072:qIHucMO03on/MnC6rWVC7Vr338NVtvglt6BAJb89:VH83on/MnZYKD3Wtvgl0BA6

Score
7/10
aspackv2discoverypersistence

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\363d6cf199c3821ab56f0a93639398d4b82f98eec2bd9f7e69b0234bf9c69967.exe
        "C:\Users\Admin\AppData\Local\Temp\363d6cf199c3821ab56f0a93639398d4b82f98eec2bd9f7e69b0234bf9c69967.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 176
          3⤵
          • Program crash
          PID:2452

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\cvasds0.dll
            Filesize

            78KB

            MD5

            fa52355e2a3d9e5345b3562881600792

            SHA1

            316414b07d34d1e2a0a7dc2b372e1ed27f1f5114

            SHA256

            2f334f90c6811bac39b078511a897d54b71111a693071bc4224f6341e014a524

            SHA512

            8d8b2338d9644ea7c784a931381a15950e73aa48e5f3d541cc7215f4f45d69f3072bb5a2eec2c161883be62746b96abf94ccd51f5c9d5adf67b7ea958492c112

            Download Submit

          • memory/1200-6-0x0000000002580000-0x0000000002581000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1384-0-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/1384-4-0x0000000000401000-0x0000000000403000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1384-10-0x0000000000400000-0x0000000000479000-memory.dmp

            Filesize

            484KB

            Download

          • memory/1384-9-0x0000000010000000-0x0000000010071000-memory.dmp

            Filesize

            452KB

            Download

          • memory/1384-19-0x0000000010000000-0x0000000010071000-memory.dmp

            Filesize

            452KB

            Download