9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a

Analysis

max time kernel
14s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe
Size

205KB
MD5

1fcb07efeb20aabe8223e46ebdb48cde
SHA1

f10ed073debd460083174749cac9e64c6b1b5fd9
SHA256

9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a
SHA512

197cb0b9bb8d8a178ae58aa535a2b23dbd9be891ee8c2c96ef6f6fd72affb4117bb501e1f0b68b0157b8968d5c5e0cbc17c421ec28f269a2f83f512620477bf8
SSDEEP

3072:mbMDF8hw0ZbtC2aoaHSKLd1ZWZCZDP+RBqqAXV1o9DhlYJRkgor3rSjGKWGqpqjD:m1hwCbtC2atYZC9aqJhJPor3RLGqpX2

Score

8^/10

aspackv2 persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\PROGRA~3\Mozilla\iqncgig.exe aspack_v212_v242
Executes dropped EXE 1 IoCs

Processes:

iqncgig.exe

pid process

2952 iqncgig.exe
Drops file in Program Files directory 2 IoCs

Processes:

9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exeiqncgig.exe

description ioc process

File created C:\PROGRA~3\Mozilla\iqncgig.exe 9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe
File created C:\PROGRA~3\Mozilla\buwmlrn.dll iqncgig.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exeiqncgig.exe

pid process

1512 9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe
2952 iqncgig.exe

resource	yara_rule
C:\PROGRA~3\Mozilla\iqncgig.exe	aspack_v212_v242

pid	process
2952	iqncgig.exe

description	ioc	process
File created	C:\PROGRA~3\Mozilla\iqncgig.exe	9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe
File created	C:\PROGRA~3\Mozilla\buwmlrn.dll	iqncgig.exe

pid	process
1512	9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe
2952	iqncgig.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2412 wrote to memory of 2952	2412	taskeng.exe	iqncgig.exe
PID 2412 wrote to memory of 2952	2412	taskeng.exe	iqncgig.exe
PID 2412 wrote to memory of 2952	2412	taskeng.exe	iqncgig.exe
PID 2412 wrote to memory of 2952	2412	taskeng.exe	iqncgig.exe

C:\Users\Admin\AppData\Local\Temp\9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe
"C:\Users\Admin\AppData\Local\Temp\9ec956c1571dd0d6928d54b4cc230274ae7d1759feba150a7eb8425e55cf336a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1512

C:\Windows\system32\taskeng.exe
taskeng.exe {A28DA837-E35A-468A-A009-C43117860A9C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\PROGRA~3\Mozilla\iqncgig.exe
C:\PROGRA~3\Mozilla\iqncgig.exe -txnfdsi
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2952

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\iqncgig.exe
Filesize
205KB

MD5
2b2357cb882c74039ae4966ffe1dc714

SHA1
788e8d44e8d65981146c30b350ca2f5127b8cf8a

SHA256
d5aa85ccf3eacc6ecaa22e7704029e3657de9f456a698037a92fe34e0d1e9e57

SHA512
33a76da3214985292912c791649245e8294e027f4021ef683b773b1eae10b3205ee56aad850a18b0b15eb1ee03a0d585c516044cf9e807db23e7e158bef99edf

Download Submit
memory/1512-3-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1512-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1512-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1512-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1512-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1512-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2952-11-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2952-10-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2952-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2952-12-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2952-9-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2952-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download