b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe
Size

2.0MB
MD5

96b3148ff5cb0c016e4925cc264cbe87
SHA1

80b84430acd5e5863e1622a5f8c3929d33988bea
SHA256

b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219
SHA512

2676c40c14d75ef434cb8cd9ef725f4bec3f230796ceeb7e8a001c69d1ffcc29c8480a0f116fc5897ba6bf3e97d41f56cdb0848ecb8fdfda9b1baa24d6f77d4c
SSDEEP

12288:CPv1EUs/8d7MN4LRRL/Lb6jQMpvsMfUFOdGuDsGaJ4XPH9h54LDQHtF4ADyfx6:CPKUs+7MN4r6jQMpvs3UdkGXPJc6

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000000002a-7.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
856	wchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4520-1-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral2/memory/4520-3-0x0000000000ED0000-0x0000000000EDB000-memory.dmp	upx
behavioral2/memory/4520-4-0x0000000000ED0000-0x0000000000EDB000-memory.dmp	upx
behavioral2/memory/4520-2-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral2/memory/856-10-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral2/memory/856-11-0x0000000000D90000-0x0000000000D9B000-memory.dmp	upx
behavioral2/memory/856-12-0x0000000000D90000-0x0000000000D9B000-memory.dmp	upx
behavioral2/memory/856-15-0x0000000010000000-0x000000001001E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe
856	wchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4520	b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe
4520	b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe
856	wchost.exe
856	wchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 856	4520	b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe	86
PID 4520 wrote to memory of 856	4520	b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe	86
PID 4520 wrote to memory of 856	4520	b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe	86

C:\Users\Admin\AppData\Local\Temp\b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe
"C:\Users\Admin\AppData\Local\Temp\b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520
- F:\wchost.exe
  F:\wchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\wchost.exe

Filesize
2.0MB

MD5
96b3148ff5cb0c016e4925cc264cbe87

SHA1
80b84430acd5e5863e1622a5f8c3929d33988bea

SHA256
b9c6547ac32afc2c422b3ad73807dc4c4f365ce452de62f89230d41399d67219

SHA512
2676c40c14d75ef434cb8cd9ef725f4bec3f230796ceeb7e8a001c69d1ffcc29c8480a0f116fc5897ba6bf3e97d41f56cdb0848ecb8fdfda9b1baa24d6f77d4c

Download Submit
memory/856-10-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/856-11-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/856-12-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/856-15-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/856-16-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/4520-0-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download
memory/4520-1-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4520-3-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

Filesize
44KB

Download
memory/4520-4-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

Filesize
44KB

Download
memory/4520-2-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/4520-14-0x0000000000400000-0x0000000000843000-memory.dmp

Filesize
4.3MB

Download