f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf

General

Target

f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe
Size

300KB
MD5

0cd76fe9419489fa159343bbf83b3c21
SHA1

ac9f25bf0ae29634d78fee255ead72def2fc6ac7
SHA256

f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf
SHA512

107b0d63b4be6e04b7c4bf94cfed41157b0b01f660c225e10005c430916b269b333ee4f2d375b40f78055c44a96c61a8f866fda84cf86ee4f197657cf3767118
SSDEEP

6144:LQVJvzN5V+pOrVXl7HWrE+icB8aa36OCwb7eEk8vEE+M1P:L2JvEEXVHGbKaW60b7eX8vEkP

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-58.dat	aspack_v212_v242
behavioral1/files/0x00080000000139f2-59.dat	aspack_v212_v242
behavioral1/files/0x00090000000134d5-66.dat	aspack_v212_v242
behavioral1/files/0x00090000000134d5-65.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
536	2e76488c.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	2e76488c.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/memory/536-57-0x0000000000E30000-0x0000000000E78000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/files/0x00080000000139f2-59.dat	upx
behavioral1/memory/536-62-0x0000000000E30000-0x0000000000E78000-memory.dmp	upx
behavioral1/files/0x00090000000134d5-66.dat	upx
behavioral1/files/0x00090000000134d5-65.dat	upx
behavioral1/memory/1712-68-0x00000000756A0000-0x00000000756E8000-memory.dmp	upx
behavioral1/memory/1712-70-0x00000000756A0000-0x00000000756E8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
536	2e76488c.exe
1712	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	2e76488c.exe
File opened for modification	C:\Windows\SysWOW64\6C600574.tmp	2e76488c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
536	2e76488c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 536	768	f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe	27
PID 768 wrote to memory of 536	768	f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe	27
PID 768 wrote to memory of 536	768	f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe	27
PID 768 wrote to memory of 536	768	f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe	27

C:\Users\Admin\AppData\Local\Temp\f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe
"C:\Users\Admin\AppData\Local\Temp\f979f727817088a5445a829d9ad1e714d91d36f0446c1c9c6de0984e786600cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\2e76488c.exe
  C:\2e76488c.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:536

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2e76488c.exe

Filesize
222KB

MD5
585c2390e02463e6711265e605eff0c7

SHA1
d076affdb51cb988509555f866d576aa309cf380

SHA256
09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

SHA512
c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

Download Submit
C:\2e76488c.exe

Filesize
222KB

MD5
585c2390e02463e6711265e605eff0c7

SHA1
d076affdb51cb988509555f866d576aa309cf380

SHA256
09b7625008038ff223761acf9bac6bc4794700f336b99b1d1891b58c293bb082

SHA512
c829a8b6e70dcf42f6586a8cb0026b7289db55c56d39c7f712b3e43addb7a66eb83fd89cfa39fb306edc1b3db10c0dda7d05aeceddac94fe4a393427c60277f6

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
01b83fcddade43ca653ec1461ccf2060

SHA1
d2928986a664820af594649bc3673d5618ab06bf

SHA256
e7823a03cb4b63d45f69fd6faa425778a04b8841db495238429b0b147242c69b

SHA512
331fabd2f4f7d2be384618926da867528cb4fb1faed95b294957f14393403e3da40c1aa46dd7940255f055d290c71ebbcf30230c9271fd4c89f497f06bf6a107

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
222KB

MD5
eca252e84ada8d896458393bfb62d022

SHA1
5f200c89df8d196e64987c3f6b61da52dcead693

SHA256
b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

SHA512
dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

Download Submit
\Windows\SysWOW64\6C600574.tmp

Filesize
222KB

MD5
eca252e84ada8d896458393bfb62d022

SHA1
5f200c89df8d196e64987c3f6b61da52dcead693

SHA256
b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

SHA512
dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
222KB

MD5
eca252e84ada8d896458393bfb62d022

SHA1
5f200c89df8d196e64987c3f6b61da52dcead693

SHA256
b0037b149a64cba1f5c382cd87e5d7a5ba6bf9ed1866c3af8cbf2c7e50bb5a1e

SHA512
dba28a7af38c222699405a98f34fabec2783a5842b3573cf432e050cf8f07013bc396b081842bd0625e33b6941ed90d2463eca8c66020db237cf61104fbb7484

Download Submit
memory/536-62-0x0000000000E30000-0x0000000000E78000-memory.dmp

Filesize
288KB

Download
memory/536-63-0x0000000002280000-0x0000000006280000-memory.dmp

Filesize
64.0MB

Download
memory/536-64-0x00000000778D0000-0x0000000077930000-memory.dmp

Filesize
384KB

Download
memory/536-56-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/536-57-0x0000000000E30000-0x0000000000E78000-memory.dmp

Filesize
288KB

Download
memory/536-71-0x00000000778D0000-0x0000000077930000-memory.dmp

Filesize
384KB

Download
memory/768-61-0x0000000000160000-0x00000000001A8000-memory.dmp

Filesize
288KB

Download
memory/768-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/768-72-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1712-68-0x00000000756A0000-0x00000000756E8000-memory.dmp

Filesize
288KB

Download
memory/1712-70-0x00000000756A0000-0x00000000756E8000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing