6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c

General

Target

6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe
Size

124KB
MD5

a3477e5593b54040b9466f4f818516d0
SHA1

89ffbc17f459f80358a8f5dfecb1b15aeea01675
SHA256

6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c
SHA512

8378c2ac0af02466afce5be3b22eee043e782725034b88cc8462f1a91cda410248dfae457837b7f20b69c44cebf11014b8e9166874c556ae5a35b00dbfd4a6e1
SSDEEP

3072:Q3vO/t4Yha+LwPDGPQ3ejaAVkuXYJnnL:iv64Yw+30OHXYJn

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-58.dat	aspack_v212_v242
behavioral1/files/0x0007000000014b77-60.dat	aspack_v212_v242
behavioral1/files/0x00080000000149ab-71.dat	aspack_v212_v242
behavioral1/files/0x00080000000149ab-70.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2012	6f8b63c7.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	6f8b63c7.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/memory/2012-59-0x0000000000120000-0x0000000000146000-memory.dmp	upx
behavioral1/files/0x0007000000014b77-60.dat	upx
behavioral1/memory/2012-66-0x0000000000120000-0x0000000000146000-memory.dmp	upx
behavioral1/memory/1288-75-0x0000000074950000-0x0000000074976000-memory.dmp	upx
behavioral1/memory/1288-73-0x0000000074950000-0x0000000074976000-memory.dmp	upx
behavioral1/files/0x00080000000149ab-71.dat	upx
behavioral1/files/0x00080000000149ab-70.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
2012	6f8b63c7.exe
1288	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\41C7058C.tmp	6f8b63c7.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	6f8b63c7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2012	6f8b63c7.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27
PID 1992 wrote to memory of 2012	1992	6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe	27

C:\Users\Admin\AppData\Local\Temp\6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe
"C:\Users\Admin\AppData\Local\Temp\6ee3111dc14b4ca29c19ff4e591a77570f7bc34a4f76cb8518bcd1248edaa29c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\6f8b63c7.exe
  C:\6f8b63c7.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6f8b63c7.exe

Filesize
91KB

MD5
8d8b3295b97fce2649ac0c49a070b791

SHA1
057f49f8691a59bd89b33f9e1f2b374b6f4d16ec

SHA256
92f5a3052ad8c6566418b911de97d72ea822b49e10950936c1b9c6ed333721c7

SHA512
95708b54bd934808de11605890bb4b18071b5d4c5d0744de388f62258f9ef880525c5b46be456a374bda2f900f2d96077ddc896ca6e6833ec5c4ffe75d978dca

Download Submit
C:\6f8b63c7.exe

Filesize
91KB

MD5
8d8b3295b97fce2649ac0c49a070b791

SHA1
057f49f8691a59bd89b33f9e1f2b374b6f4d16ec

SHA256
92f5a3052ad8c6566418b911de97d72ea822b49e10950936c1b9c6ed333721c7

SHA512
95708b54bd934808de11605890bb4b18071b5d4c5d0744de388f62258f9ef880525c5b46be456a374bda2f900f2d96077ddc896ca6e6833ec5c4ffe75d978dca

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
d0bde48f92d59f3a13c8e148188f121f

SHA1
6f0e67492b226c0201348b442f731266009ab02a

SHA256
91c97db5c8492dbfc030346e2b82b2b08940d6fb33ba4a1fc9c0ca75315179c7

SHA512
a476222254ab3a181b720c5cbf95810fb752c02844109d8fdd5c546097258eeaed3d4934c517ab777dedd0306c89e3cd2392a1f0c2a1b4afa043e5e30e487137

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
91KB

MD5
9e4efba93ef34d7001f165327e87eafb

SHA1
3b010ba520e24c8f731b74ecbf5d919afb88ba2c

SHA256
5236de5f4c357bc04ebc2e6b17b6ffc19d58042efe2ee2170dbbf6be388cad36

SHA512
6e55e5480f47ad29cee9ab48d5896a9063effab8527f6eee8c6f0b76578678665ece4d06f021ed031e6d05df1eff0fb44119c47c5f75c509a887f75e858e2df2

Download Submit
\Windows\SysWOW64\41C7058C.tmp

Filesize
91KB

MD5
9e4efba93ef34d7001f165327e87eafb

SHA1
3b010ba520e24c8f731b74ecbf5d919afb88ba2c

SHA256
5236de5f4c357bc04ebc2e6b17b6ffc19d58042efe2ee2170dbbf6be388cad36

SHA512
6e55e5480f47ad29cee9ab48d5896a9063effab8527f6eee8c6f0b76578678665ece4d06f021ed031e6d05df1eff0fb44119c47c5f75c509a887f75e858e2df2

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
91KB

MD5
9e4efba93ef34d7001f165327e87eafb

SHA1
3b010ba520e24c8f731b74ecbf5d919afb88ba2c

SHA256
5236de5f4c357bc04ebc2e6b17b6ffc19d58042efe2ee2170dbbf6be388cad36

SHA512
6e55e5480f47ad29cee9ab48d5896a9063effab8527f6eee8c6f0b76578678665ece4d06f021ed031e6d05df1eff0fb44119c47c5f75c509a887f75e858e2df2

Download Submit
memory/1288-75-0x0000000074950000-0x0000000074976000-memory.dmp

Filesize
152KB

Download
memory/1288-73-0x0000000074950000-0x0000000074976000-memory.dmp

Filesize
152KB

Download
memory/1992-63-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/1992-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1992-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-64-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/1992-65-0x00000000001F0000-0x0000000000216000-memory.dmp

Filesize
152KB

Download
memory/1992-62-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2012-66-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/2012-67-0x0000000001DF0000-0x0000000005DF0000-memory.dmp

Filesize
64.0MB

Download
memory/2012-68-0x0000000075D70000-0x0000000075DD0000-memory.dmp

Filesize
384KB

Download
memory/2012-69-0x0000000074950000-0x0000000074976000-memory.dmp

Filesize
152KB

Download
memory/2012-76-0x0000000075D70000-0x0000000075DD0000-memory.dmp

Filesize
384KB

Download
memory/2012-59-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing