042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011

General

Target

042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe
Size

414KB
MD5

31e0a974b462a566db82f16a12a3fa00
SHA1

d5445c98f034c531624758c58edc682fef01cdc3
SHA256

042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011
SHA512

0fb14adc0a018860885c716e3bbf2766c2d2dfd870ea9500d3bd496cb13b355a12bd3f820298d2351387dc2fb6c77680791091c3d3db6d9fcb04eec9b9e8c7ab
SSDEEP

6144:w9WVwOGqq2BwHlfdfSNodLluAdubEHoSOEt5zpaiRhcuGE07v6bnZ:w9UAfFlu9wNxRhTKj6bn

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000005c50-56.dat	aspack_v212_v242
behavioral1/files/0x0007000000005c50-63.dat	aspack_v212_v242
behavioral1/files/0x00090000000135a6-64.dat	aspack_v212_v242
behavioral1/files/0x00080000000139e4-67.dat	aspack_v212_v242
behavioral1/files/0x00080000000139e4-68.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1560	469f1b96.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	469f1b96.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/memory/1560-58-0x0000000000130000-0x0000000000178000-memory.dmp	upx
behavioral1/memory/1560-59-0x0000000000130000-0x0000000000178000-memory.dmp	upx
behavioral1/memory/1560-62-0x0000000000130000-0x0000000000178000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-63.dat	upx
behavioral1/files/0x00090000000135a6-64.dat	upx
behavioral1/files/0x00080000000139e4-67.dat	upx
behavioral1/memory/1560-74-0x0000000000130000-0x0000000000178000-memory.dmp	upx
behavioral1/memory/728-73-0x0000000074440000-0x0000000074488000-memory.dmp	upx
behavioral1/memory/728-71-0x0000000074440000-0x0000000074488000-memory.dmp	upx
behavioral1/memory/728-70-0x0000000074440000-0x0000000074488000-memory.dmp	upx
behavioral1/files/0x00080000000139e4-68.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1560	469f1b96.exe
728	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\6F9604A4.tmp	469f1b96.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	469f1b96.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1560	469f1b96.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1348	042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe
1348	042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1560	1348	042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe	26
PID 1348 wrote to memory of 1560	1348	042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe	26
PID 1348 wrote to memory of 1560	1348	042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe	26
PID 1348 wrote to memory of 1560	1348	042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe	26

C:\Users\Admin\AppData\Local\Temp\042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe
"C:\Users\Admin\AppData\Local\Temp\042115a41adf57e4ed45c068e841b6ffdcc68b9411f0df25896cec892d8f4011.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\469f1b96.exe
  C:\469f1b96.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\469f1b96.exe

Filesize
224KB

MD5
0c7a0c4fb694fb147087395e6f48c9ac

SHA1
0461db53a076835397458c8ed87cd5f8ca1697e6

SHA256
5681567c8f500a7e0ffa3a8b133ae8210987e109479b051cdc57cbaa52ea0d78

SHA512
2ec86b27d6e4dc03ff3b8f5843f10befc1f19864329aa1137869963b61304b1c836bb58cc53ab9c094b50104c5b0c7e4924a0efe0aab0f1228841fd97d08ff4b

Download Submit
C:\469f1b96.exe

Filesize
224KB

MD5
0c7a0c4fb694fb147087395e6f48c9ac

SHA1
0461db53a076835397458c8ed87cd5f8ca1697e6

SHA256
5681567c8f500a7e0ffa3a8b133ae8210987e109479b051cdc57cbaa52ea0d78

SHA512
2ec86b27d6e4dc03ff3b8f5843f10befc1f19864329aa1137869963b61304b1c836bb58cc53ab9c094b50104c5b0c7e4924a0efe0aab0f1228841fd97d08ff4b

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
d9da332bcd28ed210218533428e5cee4

SHA1
2bc6be4f98eda0f4c83f5a0d5a164efea975d25f

SHA256
3e4a4c7763d744f1842ac181430c776f9cce4b655a2bb1bb3e0b1a7d69ea406d

SHA512
51da5af00b992b154cf126bee9e7257ec8cfdbd95ff3d37f8236f0276b80ee82ee951cf4e590fda83b42391495d41b3e3df1991b46d38ab606aab2b0b764333a

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
224KB

MD5
ab96b58dd1f35cda2b381466f694981a

SHA1
59242c7e412eb7e0142f273c20ed21e1c9350089

SHA256
7975e102708b931d0d6b0f475c457a01e678020454d0f586febf127ec0ab4da3

SHA512
b5291688b273726b9bc875cfd0b66387ff38fc58c7247b448b88a6d8e6c62057a22db910b1f65bffd14e9979c7433965ed8ab80d383f51bca47dec767077272a

Download Submit
\Windows\SysWOW64\6F9604A4.tmp

Filesize
224KB

MD5
ab96b58dd1f35cda2b381466f694981a

SHA1
59242c7e412eb7e0142f273c20ed21e1c9350089

SHA256
7975e102708b931d0d6b0f475c457a01e678020454d0f586febf127ec0ab4da3

SHA512
b5291688b273726b9bc875cfd0b66387ff38fc58c7247b448b88a6d8e6c62057a22db910b1f65bffd14e9979c7433965ed8ab80d383f51bca47dec767077272a

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
224KB

MD5
ab96b58dd1f35cda2b381466f694981a

SHA1
59242c7e412eb7e0142f273c20ed21e1c9350089

SHA256
7975e102708b931d0d6b0f475c457a01e678020454d0f586febf127ec0ab4da3

SHA512
b5291688b273726b9bc875cfd0b66387ff38fc58c7247b448b88a6d8e6c62057a22db910b1f65bffd14e9979c7433965ed8ab80d383f51bca47dec767077272a

Download Submit
memory/728-73-0x0000000074440000-0x0000000074488000-memory.dmp

Filesize
288KB

Download
memory/728-70-0x0000000074440000-0x0000000074488000-memory.dmp

Filesize
288KB

Download
memory/728-71-0x0000000074440000-0x0000000074488000-memory.dmp

Filesize
288KB

Download
memory/1348-61-0x00000000004E0000-0x0000000000528000-memory.dmp

Filesize
288KB

Download
memory/1348-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1348-60-0x00000000004E0000-0x0000000000528000-memory.dmp

Filesize
288KB

Download
memory/1348-54-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1560-58-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1560-74-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1560-66-0x0000000076FE0000-0x0000000077040000-memory.dmp

Filesize
384KB

Download
memory/1560-75-0x0000000076FE0000-0x0000000077040000-memory.dmp

Filesize
384KB

Download
memory/1560-57-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1560-65-0x0000000001E50000-0x0000000005E50000-memory.dmp

Filesize
64.0MB

Download
memory/1560-59-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1560-62-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing