3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9

General

Target

3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
Size

316KB
MD5

4b1a332f822e5a76560a820f8cc926d0
SHA1

5d9f4d8bb86f89276484057493473969e5a7464a
SHA256

3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9
SHA512

7f99397e47392cbfc4a48dc577fd7ea82d538ea35bfc84b16d6211a94ee83c1c9359ede59a2d03bd061bfc34b94662e8a90d0e570561142e2683cee0994997f5
SSDEEP

6144:dPeyxTwquPwv0OrVXl7HWrE+icB8aa36OCwb7eEk8vEE+MUyA3:dPbZwBPMHXVHGbKaW60b7eX8vEIA3

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000122d2-55.dat	aspack_v212_v242
behavioral1/files/0x000b0000000122d2-62.dat	aspack_v212_v242
behavioral1/files/0x00090000000122e8-63.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122d6-66.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122d6-67.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1384	71c069d7.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	71c069d7.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122d2-55.dat	upx
behavioral1/memory/1384-58-0x0000000000920000-0x0000000000969000-memory.dmp	upx
behavioral1/memory/1384-61-0x0000000000920000-0x0000000000969000-memory.dmp	upx
behavioral1/memory/1384-60-0x0000000000920000-0x0000000000969000-memory.dmp	upx
behavioral1/files/0x000b0000000122d2-62.dat	upx
behavioral1/files/0x00090000000122e8-63.dat	upx
behavioral1/memory/1384-65-0x0000000075270000-0x00000000752D0000-memory.dmp	upx
behavioral1/files/0x000a0000000122d6-66.dat	upx
behavioral1/files/0x000a0000000122d6-67.dat	upx
behavioral1/memory/908-69-0x0000000074BC0000-0x0000000074C09000-memory.dmp	upx
behavioral1/memory/908-70-0x0000000074BC0000-0x0000000074C09000-memory.dmp	upx
behavioral1/memory/1384-73-0x0000000000920000-0x0000000000969000-memory.dmp	upx
behavioral1/memory/908-72-0x0000000074BC0000-0x0000000074C09000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1384	71c069d7.exe
908	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1A2705A4.tmp	71c069d7.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	71c069d7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1384	71c069d7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1112	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1112	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1384	1112	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	26
PID 1112 wrote to memory of 1384	1112	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	26
PID 1112 wrote to memory of 1384	1112	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	26
PID 1112 wrote to memory of 1384	1112	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	26

C:\Users\Admin\AppData\Local\Temp\3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
"C:\Users\Admin\AppData\Local\Temp\3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\71c069d7.exe
  C:\71c069d7.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\71c069d7.exe

Filesize
225KB

MD5
10be9a26093a6a446de4fc9b759c410b

SHA1
5a2ad24a3502bc32533f02044fb44f0def15513c

SHA256
ac86fbb6bd701b7767d28a60769786ca6dd413785b2a5d8bed890b4d78b255b0

SHA512
3ffe6b2b2ba943238880a59ba3a3562799568d0636f1b91dd0e934579e7bd66a086b45d8d6ccc8969b85c42fa382bd05fe89d1524d18bdb6cb3e03f7271dd9f2

Download Submit
C:\71c069d7.exe

Filesize
225KB

MD5
10be9a26093a6a446de4fc9b759c410b

SHA1
5a2ad24a3502bc32533f02044fb44f0def15513c

SHA256
ac86fbb6bd701b7767d28a60769786ca6dd413785b2a5d8bed890b4d78b255b0

SHA512
3ffe6b2b2ba943238880a59ba3a3562799568d0636f1b91dd0e934579e7bd66a086b45d8d6ccc8969b85c42fa382bd05fe89d1524d18bdb6cb3e03f7271dd9f2

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
7521707e1fa1dd6d38f99ecc009546b0

SHA1
888d97f03cdbcf3a8dcd90a4b51a0ff2afc8c852

SHA256
832a2d3575ee021a805edbdb8be768ccc5812e6f2b9e8f8609585f72fe02ae9f

SHA512
6cb3fee8ddba1d1b2a558058f27f8184279f3d7c3559575b8535e1d402b40cffdaf2098ccccde237f90354ccb00fe02036d369fd8da8e176da529bc0a7ce9c3d

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
225KB

MD5
747ecef3bc851ae360714164035f25cf

SHA1
0baee203020f8c2a3f340a61e97b1182420004bb

SHA256
12bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25

SHA512
83373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41

Download Submit
\Windows\SysWOW64\1A2705A4.tmp

Filesize
225KB

MD5
747ecef3bc851ae360714164035f25cf

SHA1
0baee203020f8c2a3f340a61e97b1182420004bb

SHA256
12bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25

SHA512
83373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
225KB

MD5
747ecef3bc851ae360714164035f25cf

SHA1
0baee203020f8c2a3f340a61e97b1182420004bb

SHA256
12bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25

SHA512
83373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41

Download Submit
memory/908-72-0x0000000074BC0000-0x0000000074C09000-memory.dmp

Filesize
292KB

Download
memory/908-70-0x0000000074BC0000-0x0000000074C09000-memory.dmp

Filesize
292KB

Download
memory/908-69-0x0000000074BC0000-0x0000000074C09000-memory.dmp

Filesize
292KB

Download
memory/1112-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1112-57-0x00000000002E0000-0x0000000000329000-memory.dmp

Filesize
292KB

Download
memory/1112-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1384-59-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1384-65-0x0000000075270000-0x00000000752D0000-memory.dmp

Filesize
384KB

Download
memory/1384-64-0x0000000001F00000-0x0000000005F00000-memory.dmp

Filesize
64.0MB

Download
memory/1384-60-0x0000000000920000-0x0000000000969000-memory.dmp

Filesize
292KB

Download
memory/1384-61-0x0000000000920000-0x0000000000969000-memory.dmp

Filesize
292KB

Download
memory/1384-73-0x0000000000920000-0x0000000000969000-memory.dmp

Filesize
292KB

Download
memory/1384-75-0x0000000075270000-0x00000000752D0000-memory.dmp

Filesize
384KB

Download
memory/1384-58-0x0000000000920000-0x0000000000969000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing