48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796

General

Target

48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
Size

430KB
MD5

bbd6ba7d41989c65425765288a8f9e0d
SHA1

6ad468b075ddb38dfec940402eb4be59848497c7
SHA256

48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796
SHA512

c24864a3aa6a01b0c80067be6edcbabfc7e016a744e1e9bcf8e9bfeb2ae34eb7a27d6f63fdbec3bea4513ef8b6639e3f282e40ea07ec4b9b123def4677177d6d
SSDEEP

12288:CzCr6D+2OkeG9F1xk1kwZRo5FbDFBQX6f6AkdIAELARixZFDuf:Cza2OkeG9jxyTo5Fbz/zkOLLARixXDuf

Score

7^/10

aspackv2 discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000120fe-14.dat	aspack_v212_v242

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2236	2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe	30
PID 2520 wrote to memory of 2236	2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe	30
PID 2520 wrote to memory of 2236	2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe	30
PID 2520 wrote to memory of 2236	2520	48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe	30

C:\Users\Admin\AppData\Local\Temp\48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe
"C:\Users\Admin\AppData\Local\Temp\48585fac31db2b1e7bf997a52c770f929f272c5ce37ac8911369d87be7beb796.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
5611518085f0e601b7af262b73ca1e21

SHA1
679e284b4e15030b11e9fcab9e54090f6128c6c2

SHA256
8e59e3dc5427519534af0cfb2713d94388d03240f4f6d2c9ec6a13db1d9812ab

SHA512
0fc4c396d00386c7942366bab8bf30b59723f4a8b0d5bfe00dbc4a74df13acb68cd6616694a81de199bcd2409ff41b6dcaca931614165deefadd728350c52bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
12092a76b0be0e62d081dbe57f9ce913

SHA1
161650f005c8ce0efe0c5ae2629284b6d21795cf

SHA256
5991b5585f69ad6ac89fb07cc9471082c71b94a34a361d7afbbda8b734309f18

SHA512
4cd982f05110e1b9ceeed01333e3ef39ed910bb205cf4d3d00cc591e6df902af0a23bd18b1d32ec2b154f0f928c76646536f8d5d0516ebb880001c159fdc69ab

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
430KB

MD5
93ef1dffd7063c3a97a3c0d3f03b58e2

SHA1
4fd33a703945689d10b644da3308312ebb84e372

SHA256
4cc4757a4f2aec76e2cc5de6296534d3644e2504d9bbfe74e4748c8bf8f54dc6

SHA512
ab12a1ec37fce80cf9f172a429e20ea8f95d7e555f7fcc8ef17ff28f8f096c241f8fb7ffa9e54f0a47a631f35a614b3bfe739ac42f734f3e69778bcdd23b344a

Download Submit
memory/2520-21-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-27-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-17-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2520-0-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-1-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-3-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-24-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-18-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2520-31-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-33-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2520-34-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2520-2-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-36-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-39-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2520-42-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads