90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0

General

Target

90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
Size

316KB
MD5

4adb9dd246d5349b80bfeee99c8c6360
SHA1

996ed961402317d67608ff9b63451fe32321ac5f
SHA256

90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0
SHA512

7d82a57a3cce198bd7902d26cd90a58e8e2ecb2454953520c691c58a75477abd5e3845dae3d92cd80d4673a61694c56aa26f26fb13534d93bd8f352958b7a9e4
SSDEEP

6144:FPeyxTYb+6PZOFyzSOEt5zpaiRhcuGE07v6n7AV:FPbZYbp8FkwNxRhTKj6ng

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-59.dat	aspack_v212_v242
behavioral1/files/0x0008000000012721-60.dat	aspack_v212_v242
behavioral1/files/0x00080000000126c7-69.dat	aspack_v212_v242
behavioral1/files/0x00080000000126c7-70.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1824	7a5d18bd.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	7a5d18bd.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/memory/1824-57-0x0000000001020000-0x0000000001068000-memory.dmp	upx
behavioral1/memory/1824-58-0x0000000001020000-0x0000000001068000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x0008000000012721-60.dat	upx
behavioral1/memory/1824-63-0x0000000001020000-0x0000000001068000-memory.dmp	upx
behavioral1/memory/1824-65-0x0000000076430000-0x0000000076490000-memory.dmp	upx
behavioral1/files/0x00080000000126c7-69.dat	upx
behavioral1/memory/1656-75-0x0000000074640000-0x0000000074688000-memory.dmp	upx
behavioral1/memory/1656-73-0x0000000074640000-0x0000000074688000-memory.dmp	upx
behavioral1/memory/1656-72-0x0000000074640000-0x0000000074688000-memory.dmp	upx
behavioral1/files/0x00080000000126c7-70.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1824	7a5d18bd.exe
1656	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\735804B8.tmp	7a5d18bd.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	7a5d18bd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1824	7a5d18bd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1988	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1824	1988	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	28
PID 1988 wrote to memory of 1824	1988	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	28
PID 1988 wrote to memory of 1824	1988	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	28
PID 1988 wrote to memory of 1824	1988	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	28

C:\Users\Admin\AppData\Local\Temp\90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
"C:\Users\Admin\AppData\Local\Temp\90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\7a5d18bd.exe
  C:\7a5d18bd.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1824

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7a5d18bd.exe

Filesize
223KB

MD5
682bf9010065cccc656b35dcf99f59ee

SHA1
4e31813eba2005d98b8b1f6815ab084a2f0ed419

SHA256
a20ec82b149494a619b87178023c65cb6bada9bb3340f3bf280d482b12686e7d

SHA512
cced163b9864302cfb06fbcb877c67256585cff26b96ecd31008d3fbac769912b0f344b3658bc9eed27f63fc46163e4457ff76cd48284da44f026554259e136d

Download Submit
C:\7a5d18bd.exe

Filesize
223KB

MD5
682bf9010065cccc656b35dcf99f59ee

SHA1
4e31813eba2005d98b8b1f6815ab084a2f0ed419

SHA256
a20ec82b149494a619b87178023c65cb6bada9bb3340f3bf280d482b12686e7d

SHA512
cced163b9864302cfb06fbcb877c67256585cff26b96ecd31008d3fbac769912b0f344b3658bc9eed27f63fc46163e4457ff76cd48284da44f026554259e136d

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
50a15d9adfebdc75c8dc14a8eca2cef4

SHA1
df09da6df01b4c0a531b6a5e8f2629b49df2edea

SHA256
f16772cc6f526f75fa03cb7e538a1aab1f44b02e778e00d220e4f0995f107867

SHA512
4f59b6b2e727c153172f46d4f7ba0eb7685a2d52eabcf244ba180342d38a041232066d9c775a813457f7f63a3022242f581dc5f99860c92f334082ae0c795102

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
223KB

MD5
e8c712fb1d83347fc0f2987e00f08c12

SHA1
7919630f8d12bce8473e4416a25fe1669edd8d51

SHA256
b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265

SHA512
79020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d

Download Submit
\Windows\SysWOW64\735804B8.tmp

Filesize
223KB

MD5
e8c712fb1d83347fc0f2987e00f08c12

SHA1
7919630f8d12bce8473e4416a25fe1669edd8d51

SHA256
b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265

SHA512
79020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
223KB

MD5
e8c712fb1d83347fc0f2987e00f08c12

SHA1
7919630f8d12bce8473e4416a25fe1669edd8d51

SHA256
b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265

SHA512
79020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d

Download Submit
memory/1656-75-0x0000000074640000-0x0000000074688000-memory.dmp

Filesize
288KB

Download
memory/1656-72-0x0000000074640000-0x0000000074688000-memory.dmp

Filesize
288KB

Download
memory/1656-73-0x0000000074640000-0x0000000074688000-memory.dmp

Filesize
288KB

Download
memory/1824-66-0x0000000074640000-0x0000000074688000-memory.dmp

Filesize
288KB

Download
memory/1824-63-0x0000000001020000-0x0000000001068000-memory.dmp

Filesize
288KB

Download
memory/1824-65-0x0000000076430000-0x0000000076490000-memory.dmp

Filesize
384KB

Download
memory/1824-58-0x0000000001020000-0x0000000001068000-memory.dmp

Filesize
288KB

Download
memory/1824-67-0x0000000002470000-0x0000000006470000-memory.dmp

Filesize
64.0MB

Download
memory/1824-68-0x0000000076430000-0x0000000076490000-memory.dmp

Filesize
384KB

Download
memory/1824-64-0x0000000002470000-0x0000000006470000-memory.dmp

Filesize
64.0MB

Download
memory/1824-56-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1824-76-0x0000000076430000-0x0000000076490000-memory.dmp

Filesize
384KB

Download
memory/1824-57-0x0000000001020000-0x0000000001068000-memory.dmp

Filesize
288KB

Download
memory/1988-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1988-62-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/1988-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing