1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b

General

Target

1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe
Size

256KB
MD5

0e0b31ac867bf65d90e19a4b35576e40
SHA1

c4a299775fc065d15cba2023567417084b77dd18
SHA256

1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b
SHA512

77b44ea778952b2831ea46458f828fff04278e68611f00729728355f069ed967e489d152e32efa8545af8dcbe6af4e87bc22f6f8bac1b0a1fccf6a5b08cc9ad5
SSDEEP

6144:bvqyTM5nSOEt5zpaiRhcuGE07v6+uMHWzIH:brQ3wNxRhTKj6oHZ

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-58.dat	aspack_v212_v242
behavioral1/files/0x000800000001339d-61.dat	aspack_v212_v242
behavioral1/files/0x000900000001318e-70.dat	aspack_v212_v242
behavioral1/files/0x000900000001318e-69.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
864	78d26152.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	78d26152.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	upx
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/memory/864-60-0x0000000000FE0000-0x0000000001027000-memory.dmp	upx
behavioral1/memory/864-59-0x0000000000FE0000-0x0000000001027000-memory.dmp	upx
behavioral1/files/0x000800000001339d-61.dat	upx
behavioral1/memory/864-65-0x0000000000FE0000-0x0000000001027000-memory.dmp	upx
behavioral1/files/0x000900000001318e-70.dat	upx
behavioral1/files/0x000900000001318e-69.dat	upx
behavioral1/memory/1076-72-0x0000000074880000-0x00000000748C7000-memory.dmp	upx
behavioral1/memory/1076-73-0x0000000074880000-0x00000000748C7000-memory.dmp	upx
behavioral1/memory/1076-75-0x0000000074880000-0x00000000748C7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
864	78d26152.exe
1076	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\08310560.tmp	78d26152.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	78d26152.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
864	78d26152.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28
PID 1660 wrote to memory of 864	1660	1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe	28

C:\Users\Admin\AppData\Local\Temp\1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe
"C:\Users\Admin\AppData\Local\Temp\1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\78d26152.exe
  C:\78d26152.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:864

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\78d26152.exe

Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\78d26152.exe

Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
e20d68405230cead3e9263c9061ea6d7

SHA1
c05485875b4c7e1ecd0e651e7075a85791acf414

SHA256
1a255f377acc39d41ef1fc3c931c5b29d2d81cf5c69657f8e462e16a97fe639d

SHA512
3e5c25b59ee69c4ccbb4ec828eb268f2254ed835eed71f6f65fcc6c2fdff290a7ce81faf5a153b402091da88201185dd12cba1ea57249abe550435d3a3387619

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\08310560.tmp

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
memory/864-59-0x0000000000FE0000-0x0000000001027000-memory.dmp

Filesize
284KB

Download
memory/864-68-0x0000000075F30000-0x0000000075F90000-memory.dmp

Filesize
384KB

Download
memory/864-77-0x0000000075F30000-0x0000000075F90000-memory.dmp

Filesize
384KB

Download
memory/864-76-0x0000000000080000-0x000000000008D000-memory.dmp

Filesize
52KB

Download
memory/864-65-0x0000000000FE0000-0x0000000001027000-memory.dmp

Filesize
284KB

Download
memory/864-66-0x0000000000080000-0x00000000000C7000-memory.dmp

Filesize
284KB

Download
memory/864-67-0x0000000002430000-0x0000000006430000-memory.dmp

Filesize
64.0MB

Download
memory/864-60-0x0000000000FE0000-0x0000000001027000-memory.dmp

Filesize
284KB

Download
memory/1076-72-0x0000000074880000-0x00000000748C7000-memory.dmp

Filesize
284KB

Download
memory/1076-73-0x0000000074880000-0x00000000748C7000-memory.dmp

Filesize
284KB

Download
memory/1076-75-0x0000000074880000-0x00000000748C7000-memory.dmp

Filesize
284KB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1660-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-64-0x0000000000190000-0x00000000001D7000-memory.dmp

Filesize
284KB

Download
memory/1660-63-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing