Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-h91waagr6v
Target 0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4
SHA256 0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4
Tags
aspackv2 bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4

Threat Level: Likely malicious

The file 0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4 was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

ASPack v2.12-2.42

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:26

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:26

Reported

2025-07-01 07:29

Platform

win10v2004-20250619-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\adwnerli.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\adwnerli.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\raksf\\hkqcv.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\adwnerli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A \??\c:\windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe N/A
N/A N/A \??\c:\adwnerli.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\adwnerli.exe
PID 372 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\adwnerli.exe
PID 372 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\adwnerli.exe
PID 3108 wrote to memory of 4796 N/A \??\c:\adwnerli.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 4796 N/A \??\c:\adwnerli.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3108 wrote to memory of 4796 N/A \??\c:\adwnerli.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4416 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4416 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4416 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 632 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 4112 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 632 wrote to memory of 4112 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 632 wrote to memory of 4112 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe

"C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\adwnerli.exe "C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\adwnerli.exe

c:\adwnerli.exe "C:\Users\Admin\AppData\Local\Temp\0ab83d1d58d0322d45d43cbd384ae714276e0d26c41324532193755fb91ecae4.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\raksf\hkqcv.dll",GetWindowClass c:\adwnerli.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\raksf\hkqcv.dll",GetWindowClass

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\SysWOW64\rundll32.exe "c:\raksf\hkqcv.dll",GetWindowClass

\??\c:\windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\raksf"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 107.163.241.230:6520 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp

Files

memory/1860-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1860-1-0x0000000000418000-0x0000000000419000-memory.dmp

memory/1860-3-0x0000000000400000-0x000000000041A000-memory.dmp

C:\adwnerli.exe

MD5 1f249d240b18194a61db12169f208e38
SHA1 3930a47a59b824b5d4b521f9df4c1506532fd055
SHA256 cebc3343d395c69212b830060456491a17c852fc83a95fcecbcd40510a7520b3
SHA512 400527aea42095ba663c51a17399ab40daf03ae09d31744a698adbb429509ad1877b04b41f57968ce2ff5c7ada93e17add36ca3592993abac9054a42b6dd2e16

memory/3108-7-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3108-10-0x0000000000400000-0x000000000041A000-memory.dmp

\??\c:\raksf\hkqcv.dll

MD5 a3fd41430ddcaa55fde840788925406a
SHA1 dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256 f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA512 23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

memory/4796-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/1260-15-0x0000000010000000-0x000000001002E000-memory.dmp

memory/4796-16-0x0000000010000000-0x000000001002E000-memory.dmp