c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d

General

Target

c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d.exe
Size

364KB
MD5

6b27932d3b93f0715ce791d39f3da9c0
SHA1

51c0d057b6da8898c68d401c139b2aa1b31d8abb
SHA256

c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d
SHA512

db178b57d56a7d92b7bc8ef3312e137c25721a8a016b71e9a129dcd1410eb2f058cf147121dfef3f1f1dbac4ee6f6c953784d80d659ef61939b9284aa06f21d3
SSDEEP

6144:4AnFBvS8s0JIQCCc/qmfRQKa9C643IOH6O25O96j+g0hv/Za3EUzo0naG3UXTvmP:DK8s0oCc9ZQnULI3g9a01/YEUPaGQHgJ

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0002000000022ddb-134.dat	aspack_v212_v242
behavioral2/files/0x0002000000022ddb-135.dat	aspack_v212_v242
behavioral2/files/0x0002000000022de4-138.dat	aspack_v212_v242
behavioral2/files/0x0001000000022dea-141.dat	aspack_v212_v242
behavioral2/files/0x0001000000022dea-142.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3768	2aa537e6.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	2aa537e6.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022ddb-134.dat	upx
behavioral2/files/0x0002000000022ddb-135.dat	upx
behavioral2/memory/3768-136-0x0000000000B10000-0x0000000000B34000-memory.dmp	upx
behavioral2/memory/3768-137-0x0000000000B10000-0x0000000000B34000-memory.dmp	upx
behavioral2/files/0x0002000000022de4-138.dat	upx
behavioral2/memory/3768-139-0x0000000000B10000-0x0000000000B34000-memory.dmp	upx
behavioral2/files/0x0001000000022dea-141.dat	upx
behavioral2/files/0x0001000000022dea-142.dat	upx
behavioral2/memory/220-143-0x0000000074D50000-0x0000000074D74000-memory.dmp	upx
behavioral2/memory/220-144-0x0000000074D50000-0x0000000074D74000-memory.dmp	upx
behavioral2/memory/220-146-0x0000000074D50000-0x0000000074D74000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
4836	WerFault.exe
220	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\7B920410.tmp	2aa537e6.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	2aa537e6.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	5032	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3768	2aa537e6.exe
3768	2aa537e6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3768	5032	c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d.exe	83
PID 5032 wrote to memory of 3768	5032	c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d.exe	83
PID 5032 wrote to memory of 3768	5032	c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d.exe	83

C:\Users\Admin\AppData\Local\Temp\c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d.exe
"C:\Users\Admin\AppData\Local\Temp\c882a4d002f95cb12478a6b89128fc401fdb485f9c4276bd8b37d4bd96e76d8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\2aa537e6.exe
  C:\2aa537e6.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 252
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5032 -ip 5032
1⤵
PID:396

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2aa537e6.exe

Filesize
81KB

MD5
5eb387b37e4f4cb31fcf92788921c92a

SHA1
841c47ef1555a2540fda9b0a18cd39d70cf5ed3a

SHA256
85c09565dd848948346defd1279fe8b4a679f9d58c67503c8e32da4f1cd9161d

SHA512
417c8957aac84f314ddf5b9a909de9029c7790ef6f3ee1f6ac377a93d45c830d44ca20492f737cddb988e1136f0a03d3f40abc92bcadcfe979b1dafce5b1d943

Download Submit
C:\2aa537e6.exe

Filesize
81KB

MD5
5eb387b37e4f4cb31fcf92788921c92a

SHA1
841c47ef1555a2540fda9b0a18cd39d70cf5ed3a

SHA256
85c09565dd848948346defd1279fe8b4a679f9d58c67503c8e32da4f1cd9161d

SHA512
417c8957aac84f314ddf5b9a909de9029c7790ef6f3ee1f6ac377a93d45c830d44ca20492f737cddb988e1136f0a03d3f40abc92bcadcfe979b1dafce5b1d943

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
33e18b0e5d4b5e4ff5459393a17dfe8f

SHA1
6e713b36c4c76ba3f19f7200f83e4e6582376161

SHA256
7c5aac5cf3af716d2d679e7790e60d6b2c367780cfb0d2fef77e4dc2ad5c8c12

SHA512
a4cea30e7cdc0f07695abd1deca17b59966e74d150c683ce190031948743e7e5e9dea21f94be189bba3906388eb72e5e530db77db4ba15a5a00037535e262b6a

Download Submit
C:\Windows\SysWOW64\7B920410.tmp

Filesize
81KB

MD5
2909ad16c19aa2e5854ab9b891d0e5a6

SHA1
2d1c0985f52bf0f1a69abd5bab4ec51f3bb9efd3

SHA256
76c47ba4073c0234c70e846e9203f779211d5ee260b56cb625894a4f0072eec9

SHA512
5828e8e3b615e6f608d110b7b60495f4fc1f33ecc86b4f449af393831d8fc29e5847d6f36214c68c46779fe7e71edf13bf83678da6e186e914f3681e3d01263a

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
81KB

MD5
2909ad16c19aa2e5854ab9b891d0e5a6

SHA1
2d1c0985f52bf0f1a69abd5bab4ec51f3bb9efd3

SHA256
76c47ba4073c0234c70e846e9203f779211d5ee260b56cb625894a4f0072eec9

SHA512
5828e8e3b615e6f608d110b7b60495f4fc1f33ecc86b4f449af393831d8fc29e5847d6f36214c68c46779fe7e71edf13bf83678da6e186e914f3681e3d01263a

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
81KB

MD5
2909ad16c19aa2e5854ab9b891d0e5a6

SHA1
2d1c0985f52bf0f1a69abd5bab4ec51f3bb9efd3

SHA256
76c47ba4073c0234c70e846e9203f779211d5ee260b56cb625894a4f0072eec9

SHA512
5828e8e3b615e6f608d110b7b60495f4fc1f33ecc86b4f449af393831d8fc29e5847d6f36214c68c46779fe7e71edf13bf83678da6e186e914f3681e3d01263a

Download Submit
memory/220-146-0x0000000074D50000-0x0000000074D74000-memory.dmp

Filesize
144KB

Download
memory/220-144-0x0000000074D50000-0x0000000074D74000-memory.dmp

Filesize
144KB

Download
memory/220-143-0x0000000074D50000-0x0000000074D74000-memory.dmp

Filesize
144KB

Download
memory/3768-136-0x0000000000B10000-0x0000000000B34000-memory.dmp

Filesize
144KB

Download
memory/3768-140-0x0000000002900000-0x0000000006900000-memory.dmp

Filesize
64.0MB

Download
memory/3768-139-0x0000000000B10000-0x0000000000B34000-memory.dmp

Filesize
144KB

Download
memory/3768-137-0x0000000000B10000-0x0000000000B34000-memory.dmp

Filesize
144KB

Download
memory/5032-132-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5032-147-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing