95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb

General

Target

95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe
Size

364KB
MD5

21f030eefb0158d3de466add41b079f0
SHA1

66027fe39fb8ce3dd3bd9741bbe94e1cf8da3abd
SHA256

95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb
SHA512

a5c181b3ea812ba9b30d173f058803156558321b828aac63d60a7d72497c458656d668b2280619f9e806621b26a39fefc4a6adee944d332f70a547627b7b5ffe
SSDEEP

6144:lg/+W4OT+uv6p9TOq9OrVXl7HWrE+icB8aa36OCwb7eEk8vEE+MzU3:i/gOT+uv6p9TOjXVHGbKaW60b7eX8vE

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	aspack_v212_v242
behavioral1/files/0x000c0000000054a8-59.dat	aspack_v212_v242
behavioral1/files/0x00090000000122d1-60.dat	aspack_v212_v242
behavioral1/files/0x00090000000122cf-66.dat	aspack_v212_v242
behavioral1/files/0x00090000000122cf-67.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2004	008933be.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	008933be.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/memory/2004-57-0x0000000001190000-0x00000000011D9000-memory.dmp	upx
behavioral1/memory/2004-58-0x0000000001190000-0x00000000011D9000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x00090000000122d1-60.dat	upx
behavioral1/memory/2004-63-0x0000000001190000-0x00000000011D9000-memory.dmp	upx
behavioral1/files/0x00090000000122cf-66.dat	upx
behavioral1/files/0x00090000000122cf-67.dat	upx
behavioral1/memory/1496-70-0x0000000074920000-0x0000000074969000-memory.dmp	upx
behavioral1/memory/1496-69-0x0000000074920000-0x0000000074969000-memory.dmp	upx
behavioral1/memory/1496-72-0x0000000074920000-0x0000000074969000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2004	008933be.exe
1496	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	008933be.exe
File opened for modification	C:\Windows\SysWOW64\6E82055C.tmp	008933be.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	008933be.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2004	1280	95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe	28
PID 1280 wrote to memory of 2004	1280	95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe	28
PID 1280 wrote to memory of 2004	1280	95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe	28
PID 1280 wrote to memory of 2004	1280	95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe	28

C:\Users\Admin\AppData\Local\Temp\95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe
"C:\Users\Admin\AppData\Local\Temp\95eaafa26ae21c92f63c9f66830cce858ad8fbe7b8b478d8610daee9374263eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\008933be.exe
  C:\008933be.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2004

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\008933be.exe

Filesize
226KB

MD5
b89a8b5b672cc9470e058f8028d70316

SHA1
3fc47d2bcdd3cd3eff279a4bd457d0c3cc58d627

SHA256
7d39afce4f0c0e439cb10d7b0913032cfbbc9c461e568220722e74c1f0886455

SHA512
88d2c3868dfaaf71d4d78717f25b7c748bb57e6a76e48a4a2c4112e719ebd891f5dc4f07e040b67c5b3ae03a725abef3e1a8aee8e728b29715f09876535876aa

Download Submit
C:\008933be.exe

Filesize
226KB

MD5
b89a8b5b672cc9470e058f8028d70316

SHA1
3fc47d2bcdd3cd3eff279a4bd457d0c3cc58d627

SHA256
7d39afce4f0c0e439cb10d7b0913032cfbbc9c461e568220722e74c1f0886455

SHA512
88d2c3868dfaaf71d4d78717f25b7c748bb57e6a76e48a4a2c4112e719ebd891f5dc4f07e040b67c5b3ae03a725abef3e1a8aee8e728b29715f09876535876aa

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
9583a73030337f10400c340faa398941

SHA1
a7b6781c03a1779016b3bb4223124ab532720748

SHA256
4a04b833a79407ca30de04663c5d852c081249bb1942b99e482fd80e77d446ca

SHA512
8730f60478302f3fc9f6667edb274ce37842a87a394574eedfea136694504ad262e851643ceb69a37c16ea6d35f85cd2701cf2d3231d4b7bdcbbf2479fbcee86

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
226KB

MD5
24c3b2b23542e55178241879b6176c30

SHA1
2dd3f93dc322cc46b824ecc65266a848bc5ea441

SHA256
a275eb81fd5d5634f66b07a18b7929c23fc7ba48ebe134272664b13f0e828c9c

SHA512
2d4b433bc4c0602715e6c6d5fd9aaeb25c9e2892ac5780ffc47810f6df9fa228d0f46d6f1647bf8ab4df6e0371f5e08ff7d2b8b42fe67f7ec7a164be223b2062

Download Submit
\Windows\SysWOW64\6E82055C.tmp

Filesize
226KB

MD5
24c3b2b23542e55178241879b6176c30

SHA1
2dd3f93dc322cc46b824ecc65266a848bc5ea441

SHA256
a275eb81fd5d5634f66b07a18b7929c23fc7ba48ebe134272664b13f0e828c9c

SHA512
2d4b433bc4c0602715e6c6d5fd9aaeb25c9e2892ac5780ffc47810f6df9fa228d0f46d6f1647bf8ab4df6e0371f5e08ff7d2b8b42fe67f7ec7a164be223b2062

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
226KB

MD5
24c3b2b23542e55178241879b6176c30

SHA1
2dd3f93dc322cc46b824ecc65266a848bc5ea441

SHA256
a275eb81fd5d5634f66b07a18b7929c23fc7ba48ebe134272664b13f0e828c9c

SHA512
2d4b433bc4c0602715e6c6d5fd9aaeb25c9e2892ac5780ffc47810f6df9fa228d0f46d6f1647bf8ab4df6e0371f5e08ff7d2b8b42fe67f7ec7a164be223b2062

Download Submit
memory/1280-75-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1280-74-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1280-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1280-62-0x0000000000180000-0x00000000001C9000-memory.dmp

Filesize
292KB

Download
memory/1496-69-0x0000000074920000-0x0000000074969000-memory.dmp

Filesize
292KB

Download
memory/1496-70-0x0000000074920000-0x0000000074969000-memory.dmp

Filesize
292KB

Download
memory/1496-72-0x0000000074920000-0x0000000074969000-memory.dmp

Filesize
292KB

Download
memory/2004-65-0x0000000075310000-0x0000000075370000-memory.dmp

Filesize
384KB

Download
memory/2004-64-0x00000000025E0000-0x00000000065E0000-memory.dmp

Filesize
64.0MB

Download
memory/2004-63-0x0000000001190000-0x00000000011D9000-memory.dmp

Filesize
292KB

Download
memory/2004-54-0x0000000000000000-mapping.dmp

Download
memory/2004-58-0x0000000001190000-0x00000000011D9000-memory.dmp

Filesize
292KB

Download
memory/2004-73-0x0000000075310000-0x0000000075370000-memory.dmp

Filesize
384KB

Download
memory/2004-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2004-57-0x0000000001190000-0x00000000011D9000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing