Overview

overview

8

Static

static

7

f6af401ecd...4f.exe

windows7-x64

8

f6af401ecd...4f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    114s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/11/2024, 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6af401ecdfcf49ee6658b0227ea9f6fc407b3bcb09ed2b2d50cf0b5d092ae4f.exe

  • Size

    43KB

  • MD5

    a6927a5b7739703aff1ef6edb1b836ca

  • SHA1

    772e70ab6f8d8aa50f98fac7a0078ac512c27ecf

  • SHA256

    f6af401ecdfcf49ee6658b0227ea9f6fc407b3bcb09ed2b2d50cf0b5d092ae4f

  • SHA512

    4a36be5e23ef09dce920d17921b6014a62b90f22842800a245ba03833694b388b42d1abc3c2229e6652e7fa2264c4361dbb094aa4a20e4e656e2e85b32a46e3a

  • SSDEEP

    768:xkF37jMLFyeYHYUVZ4qM0Pb0P85Wes3mxGha5FEBqV4hgVLvx:xmos3Z4qMqb0P22POqgtZ

Score
8/10
aspackv2discoverypersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6af401ecdfcf49ee6658b0227ea9f6fc407b3bcb09ed2b2d50cf0b5d092ae4f.exe
    "C:\Users\Admin\AppData\Local\Temp\f6af401ecdfcf49ee6658b0227ea9f6fc407b3bcb09ed2b2d50cf0b5d092ae4f.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
      C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
        C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c UNISTA~1.BAT
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat
    Filesize

    88B

    MD5

    9e771543981fbe1a58d429795e1a631f

    SHA1

    3b231887441b1f8b2c90896131c0550c557bdfaa

    SHA256

    a8ed05538d0bdaafb3d12622d2e4b8efa9638c8e2ae1cbbe0d890eb71f8afed3

    SHA512

    63fa10bf6e0b5dbcbceddee0631804b1b173c902be62cdcdf56c6b1b2f43cd62d9628342f7e91a60b977981918c6d42fdeee89defac9ab6c624d1eb679ce8c2d

    Download Submit

  • \Users\Admin\AppData\Roaming\webcam_plugin.exe
    Filesize

    43KB

    MD5

    49646e603a809de63c005f859c1391f8

    SHA1

    f4c9f65f60461d53e540f09c68d8b63ed996daa8

    SHA256

    cb289f6e2bdadc1fe14b8883db949dc615d4730c34e2f2993d5935f16c61ba17

    SHA512

    d9f67edcbb1360d654112d040ebe7c59be10abe8a69dbb8f52db8b126c3b3ac902db392fbf9d9f05779760d1f13c8534b0e94ee0e54c032bc860621d9f90dd49

    Download Submit

  • memory/1068-15-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1068-38-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1728-13-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1728-27-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1952-14-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download