3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765

Analysis

max time kernel
34s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe
Size

424KB
MD5

41a86b1e105e8d11741ed2ed29266f00
SHA1

131d8b0a2a04e939a8f47c835f33607fae09080d
SHA256

3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765
SHA512

47702a0e1b98daaa1597212e67246dfa05a9261bf760ff4552549686a9f2e9e8d63d87ebe322103995d2afc89834897ddfc909ea16e9bb731c0aec3c981ee5a3
SSDEEP

6144:Do4KwOoHTxF/p/uwONct43D92UqyTM5nSOEt5zpaiRhcuGE07v6+uMHWzIH:Do3qx9pGHNu4B2UzQ3wNxRhTKj6oHZ

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	aspack_v212_v242
behavioral1/files/0x00140000000054ab-60.dat	aspack_v212_v242
behavioral1/files/0x0006000000014159-61.dat	aspack_v212_v242
behavioral1/files/0x0007000000014124-68.dat	aspack_v212_v242
behavioral1/files/0x0007000000014124-67.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1696	37143a71.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	37143a71.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/memory/1696-58-0x0000000001050000-0x0000000001097000-memory.dmp	upx
behavioral1/memory/1696-59-0x0000000001050000-0x0000000001097000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-60.dat	upx
behavioral1/files/0x0006000000014159-61.dat	upx
behavioral1/memory/1696-63-0x0000000001050000-0x0000000001097000-memory.dmp	upx
behavioral1/memory/1696-65-0x0000000075E60000-0x0000000075EC0000-memory.dmp	upx
behavioral1/memory/1504-71-0x0000000074450000-0x0000000074497000-memory.dmp	upx
behavioral1/memory/1504-73-0x0000000074450000-0x0000000074497000-memory.dmp	upx
behavioral1/memory/1504-70-0x0000000074450000-0x0000000074497000-memory.dmp	upx
behavioral1/files/0x0007000000014124-68.dat	upx
behavioral1/files/0x0007000000014124-67.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1696	37143a71.exe
1504	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1E1004F4.tmp	37143a71.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	37143a71.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1696	37143a71.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe
1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1696	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	27
PID 1880 wrote to memory of 1696	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	27
PID 1880 wrote to memory of 1696	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	27
PID 1880 wrote to memory of 1696	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	27
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12
PID 1880 wrote to memory of 1268	1880	3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe
  "C:\Users\Admin\AppData\Local\Temp\3a00314d84b530e777d210ae6c9fa5b2a00cc6bcad705147cb2895446181f765.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\37143a71.exe
    C:\37143a71.exe
    3⤵
    - Executes dropped EXE
    - Sets DLL path for service in the registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1696

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\37143a71.exe

Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\37143a71.exe

Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
c901f6ec087516d71c2b6e551ad39f70

SHA1
ddc9741bad5e0d2ecd36b58e930fb494493e71c1

SHA256
3f57e2fb9e6cd56c91825cd5e14b575bd6751e7c9f7e34376780e7e07cc1915e

SHA512
385bf90662cc4bb15a1c7cc0124bcf239fe9e981596b2293cd2a9e36cbfa782a8434ba6bd9a58a3d5dd333b16f461b2aedc1877733d6c60c997fa34882e7f965

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\1E1004F4.tmp

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
memory/1268-89-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-88-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-76-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-77-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-78-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-79-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-80-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-81-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-82-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-83-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-84-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-85-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-86-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-87-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-93-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-94-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-92-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-95-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-107-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-106-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-105-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-104-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-103-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-102-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-101-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-100-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-99-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-98-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-97-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-96-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-90-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1268-91-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1504-70-0x0000000074450000-0x0000000074497000-memory.dmp

Filesize
284KB

Download
memory/1504-71-0x0000000074450000-0x0000000074497000-memory.dmp

Filesize
284KB

Download
memory/1504-73-0x0000000074450000-0x0000000074497000-memory.dmp

Filesize
284KB

Download
memory/1696-57-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1696-74-0x0000000075E60000-0x0000000075EC0000-memory.dmp

Filesize
384KB

Download
memory/1696-58-0x0000000001050000-0x0000000001097000-memory.dmp

Filesize
284KB

Download
memory/1696-59-0x0000000001050000-0x0000000001097000-memory.dmp

Filesize
284KB

Download
memory/1696-65-0x0000000075E60000-0x0000000075EC0000-memory.dmp

Filesize
384KB

Download
memory/1696-64-0x00000000024A0000-0x00000000064A0000-memory.dmp

Filesize
64.0MB

Download
memory/1696-63-0x0000000001050000-0x0000000001097000-memory.dmp

Filesize
284KB

Download
memory/1880-108-0x0000000000310000-0x000000000037D000-memory.dmp

Filesize
436KB

Download
memory/1880-54-0x0000000000310000-0x000000000037D000-memory.dmp

Filesize
436KB

Download
memory/1880-66-0x0000000000310000-0x000000000037D000-memory.dmp

Filesize
436KB

Download
memory/1880-62-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download