Analysis Overview
SHA256
b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296a
Threat Level: Shows suspicious behavior
The file b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
ASPack v2.12-2.42
Deletes itself
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 10:28
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 10:28
Reported
2024-11-09 10:30
Platform
win7-20241010-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe" | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | N/A |
Drops file in System32 directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1720 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1720 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1720 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe
"C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\$$$$$.bat
Network
Files
memory/1720-0-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe
| MD5 | aa9feda51e3fa36134ac2a91d2ae3be0 |
| SHA1 | 3d4c1dc0f3ae0866a214fe6c78a6faa435cffcc6 |
| SHA256 | b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296a |
| SHA512 | e7340e8afa991c9e74c2e2267f1bd3b58b73da32438876d2dc3b4dd289e47ca3511eb9b736740745ceed708346705bfd3a1c1b5bb0e2437bf7e8935cc4c719a3 |
memory/1720-514-0x0000000000400000-0x000000000043F000-memory.dmp
C:\$$$$$.bat
| MD5 | ffe800a6183a21a42e6bc5d6049d0689 |
| SHA1 | 31b6359bcabfc53eac465c781b6bd41fa0e37d90 |
| SHA256 | 45f5553243938b674898b9b9b89d185d4f50f6d7c5f3335bce00e4a02f621132 |
| SHA512 | 07f6a10621b3e07bedbf745f2dcd98ec05e355420ebd73a280c43d7215f272c99c176df67786eae90a6cf1effec952f263bfbe9b3e9a4a3f088f5388766a4cd7 |
memory/1720-826-0x0000000000400000-0x000000000043F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 10:28
Reported
2024-11-09 10:30
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe" | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | N/A |
Drops file in System32 directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1468 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1468 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe
"C:\Users\Admin\AppData\Local\Temp\b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296aN.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.82.67.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1468-0-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe
| MD5 | aa9feda51e3fa36134ac2a91d2ae3be0 |
| SHA1 | 3d4c1dc0f3ae0866a214fe6c78a6faa435cffcc6 |
| SHA256 | b5f6a947e9ffe3d0f520255e6c7e546231b671e5d66739d8ffb6a03a3e9d296a |
| SHA512 | e7340e8afa991c9e74c2e2267f1bd3b58b73da32438876d2dc3b4dd289e47ca3511eb9b736740745ceed708346705bfd3a1c1b5bb0e2437bf7e8935cc4c719a3 |
memory/1468-515-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1468-821-0x0000000000400000-0x000000000043F000-memory.dmp
\??\c:\$$$$$.bat
| MD5 | ffe800a6183a21a42e6bc5d6049d0689 |
| SHA1 | 31b6359bcabfc53eac465c781b6bd41fa0e37d90 |
| SHA256 | 45f5553243938b674898b9b9b89d185d4f50f6d7c5f3335bce00e4a02f621132 |
| SHA512 | 07f6a10621b3e07bedbf745f2dcd98ec05e355420ebd73a280c43d7215f272c99c176df67786eae90a6cf1effec952f263bfbe9b3e9a4a3f088f5388766a4cd7 |