01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c

General

Target

01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe
Size

172KB
MD5

49207d20d1dc9dc6c9bb2f04cc82b170
SHA1

a43a619031d3b24f6e02d628ce1952d361cb0209
SHA256

01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c
SHA512

494fbe9a555b67aad2f44116e311e7c1e77f6374052a7429c7718b10200d326a7f1b7a558df847f582efc9d2c330cd945f86adb0690d507b7de68a6bdebef064
SSDEEP

3072:sNf3wRqQxKvxnsRcaCncxLqMoxOOnw7SJiu3:8PeyxTneuCCjJH

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-62.dat	aspack_v212_v242
behavioral1/files/0x0008000000013473-63.dat	aspack_v212_v242
behavioral1/files/0x000900000001339d-67.dat	aspack_v212_v242
behavioral1/files/0x000900000001339d-66.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1044	64f34b0f.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	64f34b0f.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/memory/1044-59-0x00000000008E0000-0x0000000000904000-memory.dmp	upx
behavioral1/memory/1044-60-0x00000000008E0000-0x0000000000904000-memory.dmp	upx
behavioral1/memory/1044-61-0x00000000008E0000-0x0000000000904000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-62.dat	upx
behavioral1/files/0x0008000000013473-63.dat	upx
behavioral1/files/0x000900000001339d-67.dat	upx
behavioral1/files/0x000900000001339d-66.dat	upx
behavioral1/memory/1044-73-0x00000000008E0000-0x0000000000904000-memory.dmp	upx
behavioral1/memory/1996-72-0x00000000745B0000-0x00000000745D4000-memory.dmp	upx
behavioral1/memory/1996-69-0x00000000745B0000-0x00000000745D4000-memory.dmp	upx
behavioral1/memory/1996-70-0x00000000745B0000-0x00000000745D4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1044	64f34b0f.exe
1996	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	64f34b0f.exe
File opened for modification	C:\Windows\SysWOW64\0B2C04BC.tmp	64f34b0f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1044	64f34b0f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1688	01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1688	01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1044	1688	01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe	27
PID 1688 wrote to memory of 1044	1688	01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe	27
PID 1688 wrote to memory of 1044	1688	01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe	27
PID 1688 wrote to memory of 1044	1688	01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe	27

C:\Users\Admin\AppData\Local\Temp\01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe
"C:\Users\Admin\AppData\Local\Temp\01f2a8eb3c200b222db79b94bbb2832f0ba7d4a32b444879f890488752a7662c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\64f34b0f.exe
  C:\64f34b0f.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1044

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\64f34b0f.exe

Filesize
83KB

MD5
9cabe44b5e98c63f8bb3ff4d8d9817e2

SHA1
755a0133e241f8f5bcde22eadad4ef5e28ed34b3

SHA256
5c35db27e9ca73b498a9dfaf420e41181afc3fc808403619d840f3cd96faa11d

SHA512
21fd9c19a5e464b8d62a9274af72e4a5210e37cfda79863b76d21f74ba61dd6b89c7762933b702733e4fd0c985c49a0d5590468eaa3a220edf44f3be65e18e69

Download Submit
C:\64f34b0f.exe

Filesize
83KB

MD5
9cabe44b5e98c63f8bb3ff4d8d9817e2

SHA1
755a0133e241f8f5bcde22eadad4ef5e28ed34b3

SHA256
5c35db27e9ca73b498a9dfaf420e41181afc3fc808403619d840f3cd96faa11d

SHA512
21fd9c19a5e464b8d62a9274af72e4a5210e37cfda79863b76d21f74ba61dd6b89c7762933b702733e4fd0c985c49a0d5590468eaa3a220edf44f3be65e18e69

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
f9c1d91e89bdb4f403c263e72c2819bf

SHA1
421a94072a7ac2260c30d2ec8ab5f074fa55196d

SHA256
b5f6be20b38b1d2f088d1b84bc659b57db8791d6140b4e87e07a06f40b8913fa

SHA512
c005597da33641d9b4bbe96366ab8117607775b181fe5339685cd34765f325b8baa56954c5005b23039a40beb8eaf168da831391816a3b6aaf616529ef5c506e

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
83KB

MD5
4bc05b71b4eeb891c11682cd1a620f85

SHA1
41de966411f3fb76f0fb56e9892087c31a9639bd

SHA256
05b6b201708b9ee65918deb0fc98c9cab898fecdfccccac06742dd507a6a3a65

SHA512
ea50d434c795cb42c131e6e7b5011c34baac2ca73cf59cd5d77dcb17581ec38b2d451b65039ec1bd9036d030ad63105075a85cdaa7cce39065b601b88068e7d3

Download Submit
\Windows\SysWOW64\0B2C04BC.tmp

Filesize
83KB

MD5
4bc05b71b4eeb891c11682cd1a620f85

SHA1
41de966411f3fb76f0fb56e9892087c31a9639bd

SHA256
05b6b201708b9ee65918deb0fc98c9cab898fecdfccccac06742dd507a6a3a65

SHA512
ea50d434c795cb42c131e6e7b5011c34baac2ca73cf59cd5d77dcb17581ec38b2d451b65039ec1bd9036d030ad63105075a85cdaa7cce39065b601b88068e7d3

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
83KB

MD5
4bc05b71b4eeb891c11682cd1a620f85

SHA1
41de966411f3fb76f0fb56e9892087c31a9639bd

SHA256
05b6b201708b9ee65918deb0fc98c9cab898fecdfccccac06742dd507a6a3a65

SHA512
ea50d434c795cb42c131e6e7b5011c34baac2ca73cf59cd5d77dcb17581ec38b2d451b65039ec1bd9036d030ad63105075a85cdaa7cce39065b601b88068e7d3

Download Submit
memory/1044-64-0x00000000020C0000-0x00000000060C0000-memory.dmp

Filesize
64.0MB

Download
memory/1044-75-0x0000000076550000-0x00000000765B0000-memory.dmp

Filesize
384KB

Download
memory/1044-60-0x00000000008E0000-0x0000000000904000-memory.dmp

Filesize
144KB

Download
memory/1044-59-0x00000000008E0000-0x0000000000904000-memory.dmp

Filesize
144KB

Download
memory/1044-65-0x0000000076550000-0x00000000765B0000-memory.dmp

Filesize
384KB

Download
memory/1044-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1044-61-0x00000000008E0000-0x0000000000904000-memory.dmp

Filesize
144KB

Download
memory/1044-73-0x00000000008E0000-0x0000000000904000-memory.dmp

Filesize
144KB

Download
memory/1688-57-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1688-58-0x00000000000F0000-0x0000000000114000-memory.dmp

Filesize
144KB

Download
memory/1688-77-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1996-72-0x00000000745B0000-0x00000000745D4000-memory.dmp

Filesize
144KB

Download
memory/1996-69-0x00000000745B0000-0x00000000745D4000-memory.dmp

Filesize
144KB

Download
memory/1996-70-0x00000000745B0000-0x00000000745D4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing