90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0

General

Target

90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
Size

316KB
MD5

4adb9dd246d5349b80bfeee99c8c6360
SHA1

996ed961402317d67608ff9b63451fe32321ac5f
SHA256

90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0
SHA512

7d82a57a3cce198bd7902d26cd90a58e8e2ecb2454953520c691c58a75477abd5e3845dae3d92cd80d4673a61694c56aa26f26fb13534d93bd8f352958b7a9e4
SSDEEP

6144:FPeyxTYb+6PZOFyzSOEt5zpaiRhcuGE07v6n7AV:FPbZYbp8FkwNxRhTKj6ng

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e25-134.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e25-135.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e1a-141.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e1a-140.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
596	7a5d18bd.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	7a5d18bd.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e25-134.dat	upx
behavioral2/files/0x0006000000022e25-135.dat	upx
behavioral2/memory/596-136-0x0000000000370000-0x00000000003B8000-memory.dmp	upx
behavioral2/memory/596-137-0x0000000000370000-0x00000000003B8000-memory.dmp	upx
behavioral2/memory/596-138-0x0000000000370000-0x00000000003B8000-memory.dmp	upx
behavioral2/files/0x0007000000022e1a-141.dat	upx
behavioral2/memory/628-142-0x0000000074F10000-0x0000000074F58000-memory.dmp	upx
behavioral2/memory/628-143-0x0000000074F10000-0x0000000074F58000-memory.dmp	upx
behavioral2/files/0x0007000000022e1a-140.dat	upx
behavioral2/memory/628-145-0x0000000074F10000-0x0000000074F58000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
628	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\778E0BC0.tmp	7a5d18bd.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	7a5d18bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
596	7a5d18bd.exe
596	7a5d18bd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4636	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4636	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 596	4636	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	83
PID 4636 wrote to memory of 596	4636	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	83
PID 4636 wrote to memory of 596	4636	90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe	83

C:\Users\Admin\AppData\Local\Temp\90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
"C:\Users\Admin\AppData\Local\Temp\90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636
- C:\7a5d18bd.exe
  C:\7a5d18bd.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:596

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7a5d18bd.exe

Filesize
223KB

MD5
682bf9010065cccc656b35dcf99f59ee

SHA1
4e31813eba2005d98b8b1f6815ab084a2f0ed419

SHA256
a20ec82b149494a619b87178023c65cb6bada9bb3340f3bf280d482b12686e7d

SHA512
cced163b9864302cfb06fbcb877c67256585cff26b96ecd31008d3fbac769912b0f344b3658bc9eed27f63fc46163e4457ff76cd48284da44f026554259e136d

Download Submit
C:\7a5d18bd.exe

Filesize
223KB

MD5
682bf9010065cccc656b35dcf99f59ee

SHA1
4e31813eba2005d98b8b1f6815ab084a2f0ed419

SHA256
a20ec82b149494a619b87178023c65cb6bada9bb3340f3bf280d482b12686e7d

SHA512
cced163b9864302cfb06fbcb877c67256585cff26b96ecd31008d3fbac769912b0f344b3658bc9eed27f63fc46163e4457ff76cd48284da44f026554259e136d

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
14677dbe8a4b548f4b419561b1090180

SHA1
2f43be2751ee0c5154dc34851513063c8a2d9726

SHA256
0eaa0ba835a0e73fef19664f6b12d2985963087ef10245eb1858b909cbfb483b

SHA512
24193b5afdd85db8ceedb432758e7f24fd89249627ffab5042fc95fef4e7bb6521ae4a1f61f529cae1a9360b0ff772443d229f6c2885e9fbe4c0476a898737a1

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
223KB

MD5
e8c712fb1d83347fc0f2987e00f08c12

SHA1
7919630f8d12bce8473e4416a25fe1669edd8d51

SHA256
b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265

SHA512
79020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
223KB

MD5
e8c712fb1d83347fc0f2987e00f08c12

SHA1
7919630f8d12bce8473e4416a25fe1669edd8d51

SHA256
b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265

SHA512
79020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d

Download Submit
memory/596-138-0x0000000000370000-0x00000000003B8000-memory.dmp

Filesize
288KB

Download
memory/596-139-0x00000000025A0000-0x00000000065A0000-memory.dmp

Filesize
64.0MB

Download
memory/596-137-0x0000000000370000-0x00000000003B8000-memory.dmp

Filesize
288KB

Download
memory/596-136-0x0000000000370000-0x00000000003B8000-memory.dmp

Filesize
288KB

Download
memory/628-142-0x0000000074F10000-0x0000000074F58000-memory.dmp

Filesize
288KB

Download
memory/628-143-0x0000000074F10000-0x0000000074F58000-memory.dmp

Filesize
288KB

Download
memory/628-145-0x0000000074F10000-0x0000000074F58000-memory.dmp

Filesize
288KB

Download
memory/4636-132-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4636-146-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing