8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15

General

Target

8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe
Size

343KB
MD5

097547f8cdaa398d3c1d473e2e5ad8e0
SHA1

0ef0d7fd8c001d910ae34edfd20d0e7314244f60
SHA256

8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15
SHA512

d47f2bdbc4a36d27e9ca7e44855561007b3deb44343be7146b55941669e9dfb6eced3e5f1a538fac129c2142bb59f1208fbac9066ebf1f8898eeb95e2b8736f7
SSDEEP

6144:tnQvuyxcHj+0QSJLjEgXZilDsszoQPniGKJlmF5c/9aXTPjNGsgl2K8kS:lExAC0HAuQPn28F5cYDLNGsgR8t

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	aspack_v212_v242
behavioral1/files/0x0008000000013a09-60.dat	aspack_v212_v242
behavioral1/files/0x0008000000005c51-59.dat	aspack_v212_v242
behavioral1/files/0x000a0000000134dc-67.dat	aspack_v212_v242
behavioral1/files/0x000a0000000134dc-68.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1148	448b1ead.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	448b1ead.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/memory/1148-57-0x0000000001380000-0x00000000013A6000-memory.dmp	upx
behavioral1/memory/1148-58-0x0000000001380000-0x00000000013A6000-memory.dmp	upx
behavioral1/files/0x0008000000013a09-60.dat	upx
behavioral1/files/0x0008000000005c51-59.dat	upx
behavioral1/memory/1148-64-0x0000000001380000-0x00000000013A6000-memory.dmp	upx
behavioral1/files/0x000a0000000134dc-67.dat	upx
behavioral1/files/0x000a0000000134dc-68.dat	upx
behavioral1/memory/364-71-0x0000000074DD0000-0x0000000074DF6000-memory.dmp	upx
behavioral1/memory/364-70-0x0000000074DD0000-0x0000000074DF6000-memory.dmp	upx
behavioral1/memory/364-73-0x0000000074DD0000-0x0000000074DF6000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1148	448b1ead.exe
364	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3D4A04B0.tmp	448b1ead.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	448b1ead.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1148	448b1ead.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1148	1460	8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe	28
PID 1460 wrote to memory of 1148	1460	8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe	28
PID 1460 wrote to memory of 1148	1460	8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe	28
PID 1460 wrote to memory of 1148	1460	8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe	28

C:\Users\Admin\AppData\Local\Temp\8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe
"C:\Users\Admin\AppData\Local\Temp\8c79778964d814502db6cdc3b9fc0ee1b5aefff5fc2de6ba05154e6c13efbc15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\448b1ead.exe
  C:\448b1ead.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1148

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\448b1ead.exe

Filesize
85KB

MD5
dc79694af889ef0900f93a985cca48c3

SHA1
1f19f2878ba9867eaea364b848936a59491402b8

SHA256
b03f21769ff0f0dfdee79344b1d7facef6b7e8da78f7328e8217013c6f496eaa

SHA512
afc7a1036a16f8327c9cd8f8b5e0409be8731b73c49789f163c349730091a90c0b18c0c0bb0f800b2c6635bf47c1e7679e3641801252d0a97d0c7eab6663679a

Download Submit
C:\448b1ead.exe

Filesize
85KB

MD5
dc79694af889ef0900f93a985cca48c3

SHA1
1f19f2878ba9867eaea364b848936a59491402b8

SHA256
b03f21769ff0f0dfdee79344b1d7facef6b7e8da78f7328e8217013c6f496eaa

SHA512
afc7a1036a16f8327c9cd8f8b5e0409be8731b73c49789f163c349730091a90c0b18c0c0bb0f800b2c6635bf47c1e7679e3641801252d0a97d0c7eab6663679a

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
c3d3f193fb386a2dcf3f983910813402

SHA1
f2c41738f0ead9953cf26660f68c2ba83a4527c1

SHA256
49ac76d38f792b9edc2ab5d82b663e9a7d29b95c105402f2656fd631f5b11023

SHA512
c2f60956fa0f9aa8b8ca90f880237452e591bbb4a3738b79dbc464cd2471af183988a2fa5f8ec40777558710936ad1c53445608188410af4eb5db19aa73f5bfd

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
85KB

MD5
5e9c90dac0ed23994f82a0c30b2a09ff

SHA1
fded5086f4200058846bac06eecb6b5331ca21ff

SHA256
b4bdc374e51605500a53890bf12481c8229b96831d5774042cfaf9566eec01ee

SHA512
9138ddebc08032a3621371af6abae01f4853aa595cee04cc13df4e1fb855610970fef8309d3c0ea73760ea11895ff829b35ba2d940d74a50edd7919ba6ed0abe

Download Submit
\Windows\SysWOW64\3D4A04B0.tmp

Filesize
85KB

MD5
5e9c90dac0ed23994f82a0c30b2a09ff

SHA1
fded5086f4200058846bac06eecb6b5331ca21ff

SHA256
b4bdc374e51605500a53890bf12481c8229b96831d5774042cfaf9566eec01ee

SHA512
9138ddebc08032a3621371af6abae01f4853aa595cee04cc13df4e1fb855610970fef8309d3c0ea73760ea11895ff829b35ba2d940d74a50edd7919ba6ed0abe

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
85KB

MD5
5e9c90dac0ed23994f82a0c30b2a09ff

SHA1
fded5086f4200058846bac06eecb6b5331ca21ff

SHA256
b4bdc374e51605500a53890bf12481c8229b96831d5774042cfaf9566eec01ee

SHA512
9138ddebc08032a3621371af6abae01f4853aa595cee04cc13df4e1fb855610970fef8309d3c0ea73760ea11895ff829b35ba2d940d74a50edd7919ba6ed0abe

Download Submit
memory/364-71-0x0000000074DD0000-0x0000000074DF6000-memory.dmp

Filesize
152KB

Download
memory/364-70-0x0000000074DD0000-0x0000000074DF6000-memory.dmp

Filesize
152KB

Download
memory/364-73-0x0000000074DD0000-0x0000000074DF6000-memory.dmp

Filesize
152KB

Download
memory/1148-64-0x0000000001380000-0x00000000013A6000-memory.dmp

Filesize
152KB

Download
memory/1148-65-0x00000000027B0000-0x00000000067B0000-memory.dmp

Filesize
64.0MB

Download
memory/1148-66-0x0000000075610000-0x0000000075670000-memory.dmp

Filesize
384KB

Download
memory/1148-58-0x0000000001380000-0x00000000013A6000-memory.dmp

Filesize
152KB

Download
memory/1148-57-0x0000000001380000-0x00000000013A6000-memory.dmp

Filesize
152KB

Download
memory/1148-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1148-75-0x0000000075610000-0x0000000075670000-memory.dmp

Filesize
384KB

Download
memory/1460-61-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1460-63-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/1460-62-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/1460-74-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing