3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9

General

Target

3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
Size

316KB
MD5

4b1a332f822e5a76560a820f8cc926d0
SHA1

5d9f4d8bb86f89276484057493473969e5a7464a
SHA256

3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9
SHA512

7f99397e47392cbfc4a48dc577fd7ea82d538ea35bfc84b16d6211a94ee83c1c9359ede59a2d03bd061bfc34b94662e8a90d0e570561142e2683cee0994997f5
SSDEEP

6144:dPeyxTwquPwv0OrVXl7HWrE+icB8aa36OCwb7eEk8vEE+MUyA3:dPbZwBPMHXVHGbKaW60b7eX8vEIA3

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000022f67-134.dat	aspack_v212_v242
behavioral2/files/0x0008000000022f67-135.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f6e-140.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f6e-141.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4948	71c069d7.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	71c069d7.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022f67-134.dat	upx
behavioral2/files/0x0008000000022f67-135.dat	upx
behavioral2/memory/4948-136-0x0000000000080000-0x00000000000C9000-memory.dmp	upx
behavioral2/memory/4948-137-0x0000000000080000-0x00000000000C9000-memory.dmp	upx
behavioral2/memory/4948-138-0x0000000000080000-0x00000000000C9000-memory.dmp	upx
behavioral2/files/0x0006000000022f6e-140.dat	upx
behavioral2/files/0x0006000000022f6e-141.dat	upx
behavioral2/memory/5024-142-0x0000000075710000-0x0000000075759000-memory.dmp	upx
behavioral2/memory/5024-143-0x0000000075710000-0x0000000075759000-memory.dmp	upx
behavioral2/memory/5024-145-0x0000000075710000-0x0000000075759000-memory.dmp	upx
behavioral2/memory/4948-146-0x0000000000080000-0x00000000000C9000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
5024	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\760E0BE4.tmp	71c069d7.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	71c069d7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	71c069d7.exe
4948	71c069d7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1616	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1616	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4948	1616	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	81
PID 1616 wrote to memory of 4948	1616	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	81
PID 1616 wrote to memory of 4948	1616	3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe	81

C:\Users\Admin\AppData\Local\Temp\3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
"C:\Users\Admin\AppData\Local\Temp\3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\71c069d7.exe
  C:\71c069d7.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\71c069d7.exe

Filesize
225KB

MD5
10be9a26093a6a446de4fc9b759c410b

SHA1
5a2ad24a3502bc32533f02044fb44f0def15513c

SHA256
ac86fbb6bd701b7767d28a60769786ca6dd413785b2a5d8bed890b4d78b255b0

SHA512
3ffe6b2b2ba943238880a59ba3a3562799568d0636f1b91dd0e934579e7bd66a086b45d8d6ccc8969b85c42fa382bd05fe89d1524d18bdb6cb3e03f7271dd9f2

Download Submit
C:\71c069d7.exe

Filesize
225KB

MD5
10be9a26093a6a446de4fc9b759c410b

SHA1
5a2ad24a3502bc32533f02044fb44f0def15513c

SHA256
ac86fbb6bd701b7767d28a60769786ca6dd413785b2a5d8bed890b4d78b255b0

SHA512
3ffe6b2b2ba943238880a59ba3a3562799568d0636f1b91dd0e934579e7bd66a086b45d8d6ccc8969b85c42fa382bd05fe89d1524d18bdb6cb3e03f7271dd9f2

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
a1595124b1020ef05fc8fd86558ff5d2

SHA1
1b8d0c0d1aca5fa774ade01531787af663f35b02

SHA256
b540484c652a029f248fd0c648fc5896b688e0af868b2a77b8a56832a9f0d92e

SHA512
62e885eddd89963e81ebf26ea64092572911bc718d27c788a097d93df99fd6333682b2622d1145e4a9adbf5ad590d77537a799f8b457a868d3a69d2428c964a7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
225KB

MD5
747ecef3bc851ae360714164035f25cf

SHA1
0baee203020f8c2a3f340a61e97b1182420004bb

SHA256
12bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25

SHA512
83373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
225KB

MD5
747ecef3bc851ae360714164035f25cf

SHA1
0baee203020f8c2a3f340a61e97b1182420004bb

SHA256
12bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25

SHA512
83373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41

Download Submit
memory/1616-132-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1616-147-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1616-148-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4948-137-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/4948-138-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/4948-139-0x0000000002A70000-0x0000000006A70000-memory.dmp

Filesize
64.0MB

Download
memory/4948-136-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/4948-146-0x0000000000080000-0x00000000000C9000-memory.dmp

Filesize
292KB

Download
memory/5024-142-0x0000000075710000-0x0000000075759000-memory.dmp

Filesize
292KB

Download
memory/5024-143-0x0000000075710000-0x0000000075759000-memory.dmp

Filesize
292KB

Download
memory/5024-145-0x0000000075710000-0x0000000075759000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing