ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530

General

Target

ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
Size

260KB
MD5

7754d0298a654d770bf3495b02acc540
SHA1

39e8753098fa0e7a69e17369941695032253bb82
SHA256

ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530
SHA512

b6be4fd3e3af371ca170c3d047cf82784fca60610194eb7fe3661986ec4b0d1fd0568cf10dd0d7543e975234c1bde08f7c64e2dd7034b68ce2633b47acbd00dc
SSDEEP

6144:zv0lxQwhXPv8m9pEUFhuoY8laLSWmH60HwYg6YtU:zcHPUChkl/lj6Y

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	aspack_v212_v242
behavioral1/files/0x00140000000054ab-58.dat	aspack_v212_v242
behavioral1/files/0x0006000000014142-61.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-68.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a13-69.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1776	15256b0b.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	15256b0b.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-58.dat	upx
behavioral1/memory/1776-60-0x0000000000CA0000-0x0000000000CE8000-memory.dmp	upx
behavioral1/memory/1776-59-0x0000000000CA0000-0x0000000000CE8000-memory.dmp	upx
behavioral1/files/0x0006000000014142-61.dat	upx
behavioral1/memory/1776-65-0x0000000000CA0000-0x0000000000CE8000-memory.dmp	upx
behavioral1/files/0x0008000000013a13-68.dat	upx
behavioral1/files/0x0008000000013a13-69.dat	upx
behavioral1/memory/1644-72-0x0000000074D60000-0x0000000074DA8000-memory.dmp	upx
behavioral1/memory/1644-71-0x0000000074D60000-0x0000000074DA8000-memory.dmp	upx
behavioral1/memory/1644-75-0x0000000074D60000-0x0000000074DA8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1776	15256b0b.exe
1644	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3F2F0504.tmp	15256b0b.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	15256b0b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1776	15256b0b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28
PID 880 wrote to memory of 1776	880	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	28

C:\Users\Admin\AppData\Local\Temp\ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
"C:\Users\Admin\AppData\Local\Temp\ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\15256b0b.exe
  C:\15256b0b.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1776

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\15256b0b.exe

Filesize
223KB

MD5
13b9957d21567562146e0e20387cf309

SHA1
30b1891f3ca0803946f620c90778c14b61b5cb15

SHA256
e44b15602f4814f952b9e3d93806c39ccf3213120ce7c8037798a41a6d0e825b

SHA512
5f1d9278906411350d00b1ce302da41fe17bbed891147422188ffc207cfe93a0dc3b74a6d9eeed3934d85950b60393712bd5d75a08843d01e99ce42f114b1cae

Download Submit
C:\15256b0b.exe

Filesize
223KB

MD5
13b9957d21567562146e0e20387cf309

SHA1
30b1891f3ca0803946f620c90778c14b61b5cb15

SHA256
e44b15602f4814f952b9e3d93806c39ccf3213120ce7c8037798a41a6d0e825b

SHA512
5f1d9278906411350d00b1ce302da41fe17bbed891147422188ffc207cfe93a0dc3b74a6d9eeed3934d85950b60393712bd5d75a08843d01e99ce42f114b1cae

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
ff335631794b110772763b193f7849ee

SHA1
d20bb65cd358ef13cb51bb1d5642ab5ff0f0db7d

SHA256
bcfb29ea92894cf57ba4ae16fa9f91b36a077b1731fdc89a89c9bd154d2c9f3a

SHA512
af2d6031f2d2e60b759829b61be081c7de3ffd736be84ae1c48cf3b04c7a252e1ae3bf22f5a3b5379867f1c4f6e180cd5acea297cfe3634773d09b51a5a4734b

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
223KB

MD5
191561a679cd0bad0b58845c16c17d62

SHA1
1eb19c5039138e84ece4d093316fcb140b1c4f0f

SHA256
72881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6

SHA512
8fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7

Download Submit
\Windows\SysWOW64\3F2F0504.tmp

Filesize
223KB

MD5
191561a679cd0bad0b58845c16c17d62

SHA1
1eb19c5039138e84ece4d093316fcb140b1c4f0f

SHA256
72881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6

SHA512
8fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
223KB

MD5
191561a679cd0bad0b58845c16c17d62

SHA1
1eb19c5039138e84ece4d093316fcb140b1c4f0f

SHA256
72881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6

SHA512
8fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7

Download Submit
memory/880-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/880-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-63-0x0000000000100000-0x0000000000141000-memory.dmp

Filesize
260KB

Download
memory/880-64-0x0000000000110000-0x0000000000158000-memory.dmp

Filesize
288KB

Download
memory/1644-75-0x0000000074D60000-0x0000000074DA8000-memory.dmp

Filesize
288KB

Download
memory/1644-71-0x0000000074D60000-0x0000000074DA8000-memory.dmp

Filesize
288KB

Download
memory/1644-72-0x0000000074D60000-0x0000000074DA8000-memory.dmp

Filesize
288KB

Download
memory/1776-59-0x0000000000CA0000-0x0000000000CE8000-memory.dmp

Filesize
288KB

Download
memory/1776-67-0x0000000077080000-0x00000000770E0000-memory.dmp

Filesize
384KB

Download
memory/1776-66-0x00000000020F0000-0x00000000060F0000-memory.dmp

Filesize
64.0MB

Download
memory/1776-65-0x0000000000CA0000-0x0000000000CE8000-memory.dmp

Filesize
288KB

Download
memory/1776-60-0x0000000000CA0000-0x0000000000CE8000-memory.dmp

Filesize
288KB

Download
memory/1776-74-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/1776-55-0x0000000000000000-mapping.dmp

Download
memory/1776-76-0x0000000077080000-0x00000000770E0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing