Analysis
-
max time kernel
36s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe
Resource
win10v2004-20220901-en
General
-
Target
d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe
-
Size
176KB
-
MD5
6817c82b02ff1a2e19d80bcd0e3e927c
-
SHA1
07f4ac6b268ddd6972e95b18ed4a4fcccf17ae26
-
SHA256
d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25
-
SHA512
c6579e30e37472a400d727f88bdfd6867276ffbe89e08202235c45dd8741d19ba2ebd83b1cfebde74e68d990ff35312f1f5be638da9951cc0e4b599cc777b7f9
-
SSDEEP
3072:7xbUV/7421tvlPytmjw8YdNuuIN+ZL5mEvnESuifG+3vw+XOSYtVZoAN:8D4EtvlPytm05dPfnBuH+3o+9
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0007000000005c50-57.dat aspack_v212_v242 behavioral1/files/0x0007000000005c50-61.dat aspack_v212_v242 behavioral1/files/0x00080000000139e4-62.dat aspack_v212_v242 behavioral1/files/0x00090000000135a6-68.dat aspack_v212_v242 behavioral1/files/0x00090000000135a6-69.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 672 762e2b52.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 762e2b52.exe -
resource yara_rule behavioral1/files/0x0007000000005c50-57.dat upx behavioral1/memory/672-59-0x0000000000ED0000-0x0000000000EF6000-memory.dmp upx behavioral1/memory/672-60-0x0000000000ED0000-0x0000000000EF6000-memory.dmp upx behavioral1/files/0x0007000000005c50-61.dat upx behavioral1/files/0x00080000000139e4-62.dat upx behavioral1/memory/672-64-0x0000000000ED0000-0x0000000000EF6000-memory.dmp upx behavioral1/files/0x00090000000135a6-68.dat upx behavioral1/files/0x00090000000135a6-69.dat upx behavioral1/memory/1280-71-0x0000000074810000-0x0000000074836000-memory.dmp upx behavioral1/memory/1280-72-0x0000000074810000-0x0000000074836000-memory.dmp upx behavioral1/memory/1280-74-0x0000000074810000-0x0000000074836000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 672 762e2b52.exe 1280 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\7CDA04A4.tmp 762e2b52.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 762e2b52.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 672 762e2b52.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1344 d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1344 wrote to memory of 672 1344 d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe 26 PID 1344 wrote to memory of 672 1344 d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe 26 PID 1344 wrote to memory of 672 1344 d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe 26 PID 1344 wrote to memory of 672 1344 d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe"C:\Users\Admin\AppData\Local\Temp\d23d19798b1868435fd6dfa7feda07637c844f4f4789b0ded9671c196cbfdd25.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\762e2b52.exeC:\762e2b52.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:672
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD56b222c20acbdc5a0919ced7d62ae127e
SHA1e5548137ef1150423b571fa0e7ceeb62c7190f56
SHA256582dd6d194571b1399686acd934336238108d1e18e0756223d318d552539bf5a
SHA51297cb5023f43c91ecc3577f270c54f486fb1246970f019a88eb7e2ee77d94b2e37a85a20b70989aca85ca7c18661346f5499e46d8a069f1ef2ad4b9d0233cb815
-
Filesize
90KB
MD56b222c20acbdc5a0919ced7d62ae127e
SHA1e5548137ef1150423b571fa0e7ceeb62c7190f56
SHA256582dd6d194571b1399686acd934336238108d1e18e0756223d318d552539bf5a
SHA51297cb5023f43c91ecc3577f270c54f486fb1246970f019a88eb7e2ee77d94b2e37a85a20b70989aca85ca7c18661346f5499e46d8a069f1ef2ad4b9d0233cb815
-
Filesize
720B
MD5dc0038bd7f38acd92e883bf6030bc460
SHA1cf25b6be5b9c7f71f6d2166b5c5f6db1ea46a60d
SHA2567972afef839599f7a18e7f4fb930bacf13d2f9e0dcc974bce61f844c61a35e53
SHA5124b5f4b6be483ecc72b87e2b1e8438db250a6f7b6074b7a776adf48cf19aaadeb55831ca25532d26e703244de8bc0602945e1f23fdfc7d23db99bd97db7a6a808
-
Filesize
90KB
MD5d9c481df51944891331899940034a2fd
SHA11d86eeec53bc1a4a5e28b69e3faec885dd48fdfa
SHA256e5d4623258e0c70c13ecc444f811c587e7b8191aaefef7773095d082be94737f
SHA5123a3673a3e10d3c4aa74eb902ad3eebc9e20df739b6b5b3c58922e37271a5deff92f6a4c4c790e1e0ba2d3db3f2e920a3253fddf33250fede8aa46552ec3b427a
-
Filesize
90KB
MD5d9c481df51944891331899940034a2fd
SHA11d86eeec53bc1a4a5e28b69e3faec885dd48fdfa
SHA256e5d4623258e0c70c13ecc444f811c587e7b8191aaefef7773095d082be94737f
SHA5123a3673a3e10d3c4aa74eb902ad3eebc9e20df739b6b5b3c58922e37271a5deff92f6a4c4c790e1e0ba2d3db3f2e920a3253fddf33250fede8aa46552ec3b427a
-
Filesize
90KB
MD5d9c481df51944891331899940034a2fd
SHA11d86eeec53bc1a4a5e28b69e3faec885dd48fdfa
SHA256e5d4623258e0c70c13ecc444f811c587e7b8191aaefef7773095d082be94737f
SHA5123a3673a3e10d3c4aa74eb902ad3eebc9e20df739b6b5b3c58922e37271a5deff92f6a4c4c790e1e0ba2d3db3f2e920a3253fddf33250fede8aa46552ec3b427a