87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff

General

Target

87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe
Size

256KB
MD5

7c35351f4c0d9a015e72fc237f672570
SHA1

df7333669001df6d4aa9a1da275f4e5c0f499532
SHA256

87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff
SHA512

218e2a495223802267b7273f53ea21f0d12cbf769e773f2f8826cd099ec00421f8e36d1df918482c7f62fb8edc936c13b147184d7099c1a3e2505c8021d4547a
SSDEEP

6144:LjheaN1bO8m9pEUFhuoY8laLSWmH60HwYg6XDNx:VfChkl/lj6Bx

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000022f3f-134.dat	aspack_v212_v242
behavioral2/files/0x000c000000022f3f-135.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f49-141.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f49-140.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5008	207411a8.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	207411a8.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000022f3f-134.dat	upx
behavioral2/files/0x000c000000022f3f-135.dat	upx
behavioral2/memory/5008-136-0x0000000000D30000-0x0000000000D78000-memory.dmp	upx
behavioral2/memory/5008-137-0x0000000000D30000-0x0000000000D78000-memory.dmp	upx
behavioral2/memory/5008-138-0x0000000000D30000-0x0000000000D78000-memory.dmp	upx
behavioral2/files/0x0006000000022f49-141.dat	upx
behavioral2/files/0x0006000000022f49-140.dat	upx
behavioral2/memory/4960-142-0x0000000074FD0000-0x0000000075018000-memory.dmp	upx
behavioral2/memory/4960-143-0x0000000074FD0000-0x0000000075018000-memory.dmp	upx
behavioral2/memory/5008-145-0x0000000000D30000-0x0000000000D78000-memory.dmp	upx
behavioral2/memory/4960-146-0x0000000074FD0000-0x0000000075018000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4960	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	207411a8.exe
File opened for modification	C:\Windows\SysWOW64\58970BCC.tmp	207411a8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5008	207411a8.exe
5008	207411a8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4724	87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe
4724	87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 5008	4724	87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe	82
PID 4724 wrote to memory of 5008	4724	87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe	82
PID 4724 wrote to memory of 5008	4724	87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe	82

C:\Users\Admin\AppData\Local\Temp\87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe
"C:\Users\Admin\AppData\Local\Temp\87179eddf35f43b2f6f7c7e1411e8afba758160da9ed340838100f2b442558ff.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724
- C:\207411a8.exe
  C:\207411a8.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\207411a8.exe

Filesize
226KB

MD5
cf1466e3a3ebfaabd919fe01f4be17db

SHA1
90d57e3e173222394914189d24ad9408744d6dc7

SHA256
cb8cfeb89ff3870cc2b3599f1697999b7c005a3b17fd117b4de3aa86569fb222

SHA512
0b1e9ed13a8bc78fad400f5edf25c9b622c1841ffc4307dc38950acb9812f2eedd08b5ec61be1aa44a8ef7f8656671443411e44cf270e078bb3de0c249da4432

Download Submit
C:\207411a8.exe

Filesize
226KB

MD5
cf1466e3a3ebfaabd919fe01f4be17db

SHA1
90d57e3e173222394914189d24ad9408744d6dc7

SHA256
cb8cfeb89ff3870cc2b3599f1697999b7c005a3b17fd117b4de3aa86569fb222

SHA512
0b1e9ed13a8bc78fad400f5edf25c9b622c1841ffc4307dc38950acb9812f2eedd08b5ec61be1aa44a8ef7f8656671443411e44cf270e078bb3de0c249da4432

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
636c3fee174310b58ea5f73a771904d8

SHA1
12f3d096081494adafe5092032c2fd6ef599810e

SHA256
6f497ee321673c14ee2335345c968a51279841a5fbe1701bf51715f5e178fb17

SHA512
53eb58a9102aaaabca4fec5fe0c3bb08ec702c1b57e8fb3b4d97e693089c07a7f11ede2293d03293ee13329216470dfb57b9b7b791e36aded338c8410e9201d2

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
226KB

MD5
749f0a7119505ff40d98aef078d44d7f

SHA1
a56ed810a73ff7a0f4004224cc3fb7ca534cf20f

SHA256
fa51619f5efe4ddd281451a9ec27b4abb52aef70d1f8f65d169f0eba98c8c768

SHA512
48dfb6057f4235ec5a750065b779e6396f8cca19f3927c8ec7866951ba080b6b2aa688acb3bfa62cd721ab27e801f2c97488e9881557f59db4e94be3db424be4

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
226KB

MD5
749f0a7119505ff40d98aef078d44d7f

SHA1
a56ed810a73ff7a0f4004224cc3fb7ca534cf20f

SHA256
fa51619f5efe4ddd281451a9ec27b4abb52aef70d1f8f65d169f0eba98c8c768

SHA512
48dfb6057f4235ec5a750065b779e6396f8cca19f3927c8ec7866951ba080b6b2aa688acb3bfa62cd721ab27e801f2c97488e9881557f59db4e94be3db424be4

Download Submit
memory/4724-132-0x0000000000400000-0x000000000043FEA8-memory.dmp

Filesize
255KB

Download
memory/4724-147-0x0000000000400000-0x000000000043FEA8-memory.dmp

Filesize
255KB

Download
memory/4960-142-0x0000000074FD0000-0x0000000075018000-memory.dmp

Filesize
288KB

Download
memory/4960-143-0x0000000074FD0000-0x0000000075018000-memory.dmp

Filesize
288KB

Download
memory/4960-146-0x0000000074FD0000-0x0000000075018000-memory.dmp

Filesize
288KB

Download
memory/5008-136-0x0000000000D30000-0x0000000000D78000-memory.dmp

Filesize
288KB

Download
memory/5008-137-0x0000000000D30000-0x0000000000D78000-memory.dmp

Filesize
288KB

Download
memory/5008-138-0x0000000000D30000-0x0000000000D78000-memory.dmp

Filesize
288KB

Download
memory/5008-139-0x0000000002B70000-0x0000000006B70000-memory.dmp

Filesize
64.0MB

Download
memory/5008-145-0x0000000000D30000-0x0000000000D78000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing