Overview

overview

10

Static

static

7

a812ed1d18...c7.exe

windows7-x64

10

a812ed1d18...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a812ed1d18abc7ac7a202c491ce11a2166a5848118eed23502ed91a102d862c7.exe

  • Size

    64KB

  • MD5

    d721e2bf9abc01139dcebd832734eb86

  • SHA1

    a1c1f777e8b73dd61b89166798bf05163355c0ef

  • SHA256

    a812ed1d18abc7ac7a202c491ce11a2166a5848118eed23502ed91a102d862c7

  • SHA512

    b8d04c658f5a9ad4bd4b3c0940ff24b8f9fc00447293fa3c285d2ac917829aa97864ad6da914e05bce09ecae60a997b69e52978f44dc15fa402e8324e655216a

  • SSDEEP

    1536:8g/9T8ROcQupqqusN3mrS/ztMhkywRFUnTmc5n4IIIIIIIIIIIIIIIIII/IIIIIn:8g585LpPCrQt7F84IIIIIIIIIIIIIIIl

Score
10/10
aspackv2discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 44 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a812ed1d18abc7ac7a202c491ce11a2166a5848118eed23502ed91a102d862c7.exe
    "C:\Users\Admin\AppData\Local\Temp\a812ed1d18abc7ac7a202c491ce11a2166a5848118eed23502ed91a102d862c7.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SMSSaw.exe
      "C:\Windows\SMSSaw.exe" -xInstallOurNiceServicesYes
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2788
  • C:\Windows\SMSSaw.exe
    C:\Windows\SMSSaw.exe -xStartOurNiceServicesYes
    1⤵
    • Modifies WinLogon for persistence
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SMSSaw.exe
    Filesize

    64KB

    MD5

    d721e2bf9abc01139dcebd832734eb86

    SHA1

    a1c1f777e8b73dd61b89166798bf05163355c0ef

    SHA256

    a812ed1d18abc7ac7a202c491ce11a2166a5848118eed23502ed91a102d862c7

    SHA512

    b8d04c658f5a9ad4bd4b3c0940ff24b8f9fc00447293fa3c285d2ac917829aa97864ad6da914e05bce09ecae60a997b69e52978f44dc15fa402e8324e655216a

    Download Submit

  • C:\Windows\Temp\ACqwXwju.Xrx\message.htm
    Filesize

    88KB

    MD5

    7a3013546726a994cfabfcfb15c664ef

    SHA1

    fb556306f92b4626b116950a4733bd4e194ce0e6

    SHA256

    8ab30c2913d3839e4ae1936801c0fdcab6d6bec0696fad9905308d073966a10f

    SHA512

    1fe5a5a389220a6192a6e31d8b188934555300ffdc311304dc4f7d81d7fdc77cb381eecff6987d777a09a71b59279e06bf3e3f17216e62f42f9702578342a628

    Download Submit

  • C:\Windows\message.dat
    Filesize

    88KB

    MD5

    96351fb905f54f3515a8158eb779603e

    SHA1

    98ea130002f203e6b0bee2696eed0fd562c72015

    SHA256

    4094c0f1ac2bd0884c08a3e3c123967c6dbb3745437ac8b0e7d6c863a59dd2b8

    SHA512

    64489eb4db9ec86855c4615b1c6ace4c9ad802b69a8af30752b2d053f49ec2d65fa704464a10c7ae8e008511a213dd2ca15dce22e28e2c4f9632ab49ca626aac

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    64KB

    MD5

    e6a623ee077bae1c7d1bb7e606b4d8a3

    SHA1

    60f3474d48d5f87bbcea0628ad8eda40ff354430

    SHA256

    c7dc4534106854b62425af53d6bc3ed0c7a7fe16bf03df5b52b55841f129fe54

    SHA512

    ab978faeb02ec87af528be2cbad890e3d6f16a7af01f6854577b6ac7322242daeac13b5c5fedf981ffbbc014c6e5b5aefb08a9d07f2902279da62f13d2e66c5a

    Download Submit

  • memory/2788-10-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-46-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-421-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-419-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-427-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-74-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-360-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-172-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2816-270-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-261-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-422-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-163-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-64-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-418-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-420-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-47-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-359-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-424-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-426-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-45-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-428-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-430-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2868-432-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download