8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2

General

Target

8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe
Size

120KB
MD5

539b667fdc30a84b5fa4718975e2f8e0
SHA1

3534a3b541aa9a6cdb53dfd9796a80193ce71da5
SHA256

8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2
SHA512

63618e8d3721e53597bca42737a1aff38928916ed243ed3e937c163d812a3ca2fd14f930810975320f1096a25c6c6f4e226d70de1aeffa9b72a08870ce9c902c
SSDEEP

1536:QMASiLNFZdO/Dx2/gc8LeSGH0Nl+Ca3mXiP7dix8mSB4k/U3MCa7gvc+tmccWwL:Q3vO/DxaeLFNlfbiP78x8Nqp3MCaoVk

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\0aa44db8.exe	aspack_v212_v242
C:\0aa44db8.exe	aspack_v212_v242
\Windows\SysWOW64\008F04FC.tmp	aspack_v212_v242
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	aspack_v212_v242
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

0aa44db8.exe

pid process

1020 0aa44db8.exe

pid	process
1020	0aa44db8.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0aa44db8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	0aa44db8.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\0aa44db8.exe	upx
behavioral1/memory/1020-61-0x0000000001260000-0x0000000001284000-memory.dmp	upx
C:\0aa44db8.exe	upx
behavioral1/memory/1020-64-0x0000000001260000-0x0000000001284000-memory.dmp	upx
behavioral1/memory/1020-65-0x0000000001260000-0x0000000001284000-memory.dmp	upx
\Windows\SysWOW64\008F04FC.tmp	upx
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	upx
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
behavioral1/memory/1816-75-0x0000000074750000-0x0000000074774000-memory.dmp	upx
behavioral1/memory/1816-76-0x0000000074750000-0x0000000074774000-memory.dmp	upx
behavioral1/memory/1816-78-0x0000000074750000-0x0000000074774000-memory.dmp	upx
behavioral1/memory/1020-80-0x0000000001260000-0x0000000001284000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

0aa44db8.exesvchost.exe

pid process

1020 0aa44db8.exe
1816 svchost.exe

pid	process
1020	0aa44db8.exe
1816	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

0aa44db8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\008F04FC.tmp	0aa44db8.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	0aa44db8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0aa44db8.exe

pid process

1020 0aa44db8.exe

pid	process
1020	0aa44db8.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe

description	pid	process	target process
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 1484 wrote to memory of 1020	1484	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe

C:\Users\Admin\AppData\Local\Temp\8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe
"C:\Users\Admin\AppData\Local\Temp\8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\0aa44db8.exe
C:\0aa44db8.exe
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1816

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0aa44db8.exe
Filesize
87KB

MD5
1f6dc40c89b720ee26c6fe2313a9fcb1

SHA1
ad3905ded6f0c32c452ecdbdd9fca0f7921f6199

SHA256
1382c98619f1a41f057d605f745a6860da67e0995d2a952f1179e07d5eec49a5

SHA512
b245cbf1ce783b6507a776b0be68a468343ad558f147e74b9e91cbb7abee5a4e416e99a97e31bccc8f33677d30238bef05a6874c0b598833307111b2ad16fd2f

Download Submit
C:\0aa44db8.exe
Filesize
87KB

MD5
1f6dc40c89b720ee26c6fe2313a9fcb1

SHA1
ad3905ded6f0c32c452ecdbdd9fca0f7921f6199

SHA256
1382c98619f1a41f057d605f745a6860da67e0995d2a952f1179e07d5eec49a5

SHA512
b245cbf1ce783b6507a776b0be68a468343ad558f147e74b9e91cbb7abee5a4e416e99a97e31bccc8f33677d30238bef05a6874c0b598833307111b2ad16fd2f

Download Submit
C:\Users\Infotmp.txt
Filesize
460B

MD5
dee89f16ee556cc26ea6675eccc957f2

SHA1
c6e5beda718a0f5d75ceeb65f3febdda910c4c21

SHA256
787ae0677566402ca78f414116df4e5089fb5fb88bade4e395d06252f77aad3a

SHA512
4249c16e84d8c87e30be1b329f374d6b946d9bc9b8a81b6a4f20b6323577c0d8f78d8252d9cf8c67e5f9a5704cf57b8e59502f547774a31995a6d41b09a118ad

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
Filesize
87KB

MD5
01045c4a0bef0c7975314ef21e194aae

SHA1
a825e4bfdb23a14e946769e1ed524426170813be

SHA256
6e2cc98528de2bd8a8b358600bfea57f009dde4ee59e321d58881e7b3cb85b07

SHA512
a8253f16e5ccc6e7f657349c7b5d1fabf85982a519b4c100da9fcabb9beed01ab1d9a6650716fe248155dd5965dcd32c8309e82b2312dedfcc9714dbfbf0f662

Download Submit
\Windows\SysWOW64\008F04FC.tmp
Filesize
87KB

MD5
01045c4a0bef0c7975314ef21e194aae

SHA1
a825e4bfdb23a14e946769e1ed524426170813be

SHA256
6e2cc98528de2bd8a8b358600bfea57f009dde4ee59e321d58881e7b3cb85b07

SHA512
a8253f16e5ccc6e7f657349c7b5d1fabf85982a519b4c100da9fcabb9beed01ab1d9a6650716fe248155dd5965dcd32c8309e82b2312dedfcc9714dbfbf0f662

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
Filesize
87KB

MD5
01045c4a0bef0c7975314ef21e194aae

SHA1
a825e4bfdb23a14e946769e1ed524426170813be

SHA256
6e2cc98528de2bd8a8b358600bfea57f009dde4ee59e321d58881e7b3cb85b07

SHA512
a8253f16e5ccc6e7f657349c7b5d1fabf85982a519b4c100da9fcabb9beed01ab1d9a6650716fe248155dd5965dcd32c8309e82b2312dedfcc9714dbfbf0f662

Download Submit
memory/1020-67-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1020-55-0x0000000000000000-mapping.dmp

Download
memory/1020-81-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1020-64-0x0000000001260000-0x0000000001284000-memory.dmp

Filesize
144KB

Download
memory/1020-65-0x0000000001260000-0x0000000001284000-memory.dmp

Filesize
144KB

Download
memory/1020-80-0x0000000001260000-0x0000000001284000-memory.dmp

Filesize
144KB

Download
memory/1020-79-0x0000000076180000-0x00000000761E0000-memory.dmp

Filesize
384KB

Download
memory/1020-68-0x0000000002690000-0x0000000006690000-memory.dmp

Filesize
64.0MB

Download
memory/1020-69-0x0000000076180000-0x00000000761E0000-memory.dmp

Filesize
384KB

Download
memory/1020-61-0x0000000001260000-0x0000000001284000-memory.dmp

Filesize
144KB

Download
memory/1020-71-0x0000000002690000-0x0000000006690000-memory.dmp

Filesize
64.0MB

Download
memory/1484-70-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/1484-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1484-58-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/1484-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1484-59-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/1484-60-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/1816-75-0x0000000074750000-0x0000000074774000-memory.dmp

Filesize
144KB

Download
memory/1816-76-0x0000000074750000-0x0000000074774000-memory.dmp

Filesize
144KB

Download
memory/1816-78-0x0000000074750000-0x0000000074774000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads