112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b

General

Target

112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe
Size

300KB
MD5

08b6afed5095f397b3a9403f09f97220
SHA1

8fe3e571ed367122d8f45361d042adf34714da8c
SHA256

112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b
SHA512

e094f205412a51e0f814d5a1cb5839fc624e587942bbf6a665de8736b574533f943043d0da0d0efa6713dd86ef89628aa215dc2bb6caab5959aa44551bbc6fbc
SSDEEP

6144:zQVPyTM5nSOEt5zpaiRhcuGE07v6+uMHWzIH:z26Q3wNxRhTKj6oHZ

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	aspack_v212_v242
behavioral1/files/0x00090000000122ff-60.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-59.dat	aspack_v212_v242
behavioral1/files/0x00090000000122f9-66.dat	aspack_v212_v242
behavioral1/files/0x00090000000122f9-67.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1680	1f463e18.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	1f463e18.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/memory/1680-57-0x0000000000FA0000-0x0000000000FE7000-memory.dmp	upx
behavioral1/memory/1680-58-0x0000000000FA0000-0x0000000000FE7000-memory.dmp	upx
behavioral1/files/0x00090000000122ff-60.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/memory/1680-63-0x0000000000FA0000-0x0000000000FE7000-memory.dmp	upx
behavioral1/files/0x00090000000122f9-66.dat	upx
behavioral1/files/0x00090000000122f9-67.dat	upx
behavioral1/memory/2012-70-0x0000000075260000-0x00000000752A7000-memory.dmp	upx
behavioral1/memory/2012-69-0x0000000075260000-0x00000000752A7000-memory.dmp	upx
behavioral1/memory/2012-72-0x0000000075260000-0x00000000752A7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1680	1f463e18.exe
2012	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\71D50568.tmp	1f463e18.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	1f463e18.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1680	1f463e18.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1680	1372	112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe	28
PID 1372 wrote to memory of 1680	1372	112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe	28
PID 1372 wrote to memory of 1680	1372	112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe	28
PID 1372 wrote to memory of 1680	1372	112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe	28

C:\Users\Admin\AppData\Local\Temp\112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe
"C:\Users\Admin\AppData\Local\Temp\112c6c63ddc3aa41747e0380e176d570cfd5700ca0f11ef34af6505e28b0b80b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\1f463e18.exe
  C:\1f463e18.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1f463e18.exe

Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\1f463e18.exe

Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
f999b0fd72c27da4e6f453ee21e0c12c

SHA1
e0727d4f03fccbb40d2ccd54f32b5fa8bf8f3c51

SHA256
1351cc98529e731fff01e1b9fe85529e21a3dcdc47c8c650771e32a9f9628e03

SHA512
1d02389d927b62a2c1c450a5e4e6c1416533d0e0376322db47b62250425edd669274c9597a0abd2f57f3b374a5ec14a84be9f7e55b2b3d356abe4ace17f680b2

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\71D50568.tmp

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
memory/1372-74-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1372-61-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1372-62-0x0000000000300000-0x0000000000347000-memory.dmp

Filesize
284KB

Download
memory/1680-64-0x00000000023F0000-0x00000000063F0000-memory.dmp

Filesize
64.0MB

Download
memory/1680-65-0x00000000772F0000-0x0000000077350000-memory.dmp

Filesize
384KB

Download
memory/1680-63-0x0000000000FA0000-0x0000000000FE7000-memory.dmp

Filesize
284KB

Download
memory/1680-58-0x0000000000FA0000-0x0000000000FE7000-memory.dmp

Filesize
284KB

Download
memory/1680-57-0x0000000000FA0000-0x0000000000FE7000-memory.dmp

Filesize
284KB

Download
memory/1680-73-0x00000000772F0000-0x0000000077350000-memory.dmp

Filesize
384KB

Download
memory/1680-56-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/2012-70-0x0000000075260000-0x00000000752A7000-memory.dmp

Filesize
284KB

Download
memory/2012-69-0x0000000075260000-0x00000000752A7000-memory.dmp

Filesize
284KB

Download
memory/2012-72-0x0000000075260000-0x00000000752A7000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing