ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530

General

Target

ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
Size

260KB
MD5

7754d0298a654d770bf3495b02acc540
SHA1

39e8753098fa0e7a69e17369941695032253bb82
SHA256

ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530
SHA512

b6be4fd3e3af371ca170c3d047cf82784fca60610194eb7fe3661986ec4b0d1fd0568cf10dd0d7543e975234c1bde08f7c64e2dd7034b68ce2633b47acbd00dc
SSDEEP

6144:zv0lxQwhXPv8m9pEUFhuoY8laLSWmH60HwYg6YtU:zcHPUChkl/lj6Y

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000022df5-135.dat	aspack_v212_v242
behavioral2/files/0x0009000000022df5-134.dat	aspack_v212_v242
behavioral2/files/0x0009000000022df7-141.dat	aspack_v212_v242
behavioral2/files/0x0009000000022df7-140.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3900	15256b0b.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	15256b0b.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022df5-135.dat	upx
behavioral2/files/0x0009000000022df5-134.dat	upx
behavioral2/memory/3900-136-0x0000000000E30000-0x0000000000E78000-memory.dmp	upx
behavioral2/memory/3900-137-0x0000000000E30000-0x0000000000E78000-memory.dmp	upx
behavioral2/memory/3900-138-0x0000000000E30000-0x0000000000E78000-memory.dmp	upx
behavioral2/files/0x0009000000022df7-141.dat	upx
behavioral2/memory/3524-142-0x0000000074E10000-0x0000000074E58000-memory.dmp	upx
behavioral2/memory/3524-143-0x0000000074E10000-0x0000000074E58000-memory.dmp	upx
behavioral2/files/0x0009000000022df7-140.dat	upx
behavioral2/memory/3524-145-0x0000000074E10000-0x0000000074E58000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
3524	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\58B10948.tmp	15256b0b.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	15256b0b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3900	15256b0b.exe
3900	15256b0b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 3900	4292	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	78
PID 4292 wrote to memory of 3900	4292	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	78
PID 4292 wrote to memory of 3900	4292	ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe	78

C:\Users\Admin\AppData\Local\Temp\ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
"C:\Users\Admin\AppData\Local\Temp\ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4292
- C:\15256b0b.exe
  C:\15256b0b.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3900

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\15256b0b.exe

Filesize
223KB

MD5
13b9957d21567562146e0e20387cf309

SHA1
30b1891f3ca0803946f620c90778c14b61b5cb15

SHA256
e44b15602f4814f952b9e3d93806c39ccf3213120ce7c8037798a41a6d0e825b

SHA512
5f1d9278906411350d00b1ce302da41fe17bbed891147422188ffc207cfe93a0dc3b74a6d9eeed3934d85950b60393712bd5d75a08843d01e99ce42f114b1cae

Download Submit
C:\15256b0b.exe

Filesize
223KB

MD5
13b9957d21567562146e0e20387cf309

SHA1
30b1891f3ca0803946f620c90778c14b61b5cb15

SHA256
e44b15602f4814f952b9e3d93806c39ccf3213120ce7c8037798a41a6d0e825b

SHA512
5f1d9278906411350d00b1ce302da41fe17bbed891147422188ffc207cfe93a0dc3b74a6d9eeed3934d85950b60393712bd5d75a08843d01e99ce42f114b1cae

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
e64ec1c0b0c4b890d0fa572c836fc669

SHA1
6d37689f209e19c15ac7e796a280a455573903bb

SHA256
532f312d157fd765f7f5e8c0f0c2214b8b53cb03c5e91beba24e868193be6706

SHA512
fdc69a22e702472d9573fb527d77572ac0e160645646d41776868caaf13fb10be33bdc5b0c3faee252dabe28448966ec8cca89c57a53ce1336d4c543af026d6a

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
223KB

MD5
191561a679cd0bad0b58845c16c17d62

SHA1
1eb19c5039138e84ece4d093316fcb140b1c4f0f

SHA256
72881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6

SHA512
8fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
223KB

MD5
191561a679cd0bad0b58845c16c17d62

SHA1
1eb19c5039138e84ece4d093316fcb140b1c4f0f

SHA256
72881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6

SHA512
8fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7

Download Submit
memory/3524-142-0x0000000074E10000-0x0000000074E58000-memory.dmp

Filesize
288KB

Download
memory/3524-143-0x0000000074E10000-0x0000000074E58000-memory.dmp

Filesize
288KB

Download
memory/3524-145-0x0000000074E10000-0x0000000074E58000-memory.dmp

Filesize
288KB

Download
memory/3900-138-0x0000000000E30000-0x0000000000E78000-memory.dmp

Filesize
288KB

Download
memory/3900-139-0x0000000003160000-0x0000000007160000-memory.dmp

Filesize
64.0MB

Download
memory/3900-137-0x0000000000E30000-0x0000000000E78000-memory.dmp

Filesize
288KB

Download
memory/3900-136-0x0000000000E30000-0x0000000000E78000-memory.dmp

Filesize
288KB

Download
memory/4292-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing