8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2

General

Target

8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe
Size

120KB
MD5

539b667fdc30a84b5fa4718975e2f8e0
SHA1

3534a3b541aa9a6cdb53dfd9796a80193ce71da5
SHA256

8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2
SHA512

63618e8d3721e53597bca42737a1aff38928916ed243ed3e937c163d812a3ca2fd14f930810975320f1096a25c6c6f4e226d70de1aeffa9b72a08870ce9c902c
SSDEEP

1536:QMASiLNFZdO/Dx2/gc8LeSGH0Nl+Ca3mXiP7dix8mSB4k/U3MCa7gvc+tmccWwL:Q3vO/DxaeLFNlfbiP78x8Nqp3MCaoVk

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\0aa44db8.exe	aspack_v212_v242
C:\0aa44db8.exe	aspack_v212_v242
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	aspack_v212_v242
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

0aa44db8.exe

pid process

3640 0aa44db8.exe

pid	process
3640	0aa44db8.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0aa44db8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	0aa44db8.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\0aa44db8.exe	upx
C:\0aa44db8.exe	upx
behavioral2/memory/3640-136-0x0000000000D30000-0x0000000000D54000-memory.dmp	upx
behavioral2/memory/3640-137-0x0000000000D30000-0x0000000000D54000-memory.dmp	upx
behavioral2/memory/3640-138-0x0000000000D30000-0x0000000000D54000-memory.dmp	upx
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	upx
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
behavioral2/memory/4616-142-0x0000000075AE0000-0x0000000075B04000-memory.dmp	upx
behavioral2/memory/4616-143-0x0000000075AE0000-0x0000000075B04000-memory.dmp	upx
behavioral2/memory/4616-146-0x0000000075AE0000-0x0000000075B04000-memory.dmp	upx
behavioral2/memory/3640-145-0x0000000000D30000-0x0000000000D54000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4616 svchost.exe

pid	process
4616	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

0aa44db8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	0aa44db8.exe
File opened for modification	C:\Windows\SysWOW64\5E670308.tmp	0aa44db8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0aa44db8.exe

pid process

3640 0aa44db8.exe
3640 0aa44db8.exe

pid	process
3640	0aa44db8.exe
3640	0aa44db8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe

description	pid	process	target process
PID 2960 wrote to memory of 3640	2960	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 2960 wrote to memory of 3640	2960	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe
PID 2960 wrote to memory of 3640	2960	8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe	0aa44db8.exe

C:\Users\Admin\AppData\Local\Temp\8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe
"C:\Users\Admin\AppData\Local\Temp\8e149f0ec186810a2157c1648e041aeb86aec589af0185ff2bc3e7a2263f26d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\0aa44db8.exe
C:\0aa44db8.exe
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0aa44db8.exe
Filesize
87KB

MD5
1f6dc40c89b720ee26c6fe2313a9fcb1

SHA1
ad3905ded6f0c32c452ecdbdd9fca0f7921f6199

SHA256
1382c98619f1a41f057d605f745a6860da67e0995d2a952f1179e07d5eec49a5

SHA512
b245cbf1ce783b6507a776b0be68a468343ad558f147e74b9e91cbb7abee5a4e416e99a97e31bccc8f33677d30238bef05a6874c0b598833307111b2ad16fd2f

Download Submit
C:\0aa44db8.exe
Filesize
87KB

MD5
1f6dc40c89b720ee26c6fe2313a9fcb1

SHA1
ad3905ded6f0c32c452ecdbdd9fca0f7921f6199

SHA256
1382c98619f1a41f057d605f745a6860da67e0995d2a952f1179e07d5eec49a5

SHA512
b245cbf1ce783b6507a776b0be68a468343ad558f147e74b9e91cbb7abee5a4e416e99a97e31bccc8f33677d30238bef05a6874c0b598833307111b2ad16fd2f

Download Submit
C:\Users\Infotmp.txt
Filesize
460B

MD5
f1e32587c46c1c4530c75fba4b4f4a4c

SHA1
adefc0a5f1641dd3561eca2dde4224caad7c5cf7

SHA256
d7b38ecadb0378907558faa498b5c82494fba9e5b620a0d7f21e3669997d4a27

SHA512
e2b304b21a083afdf570c88eabc60d96fee013370842626bad051a90defe799ee77b957b0a4103a78155151a8370fc1e43d3292025c67a2465ad4a75933a28d3

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
Filesize
87KB

MD5
01045c4a0bef0c7975314ef21e194aae

SHA1
a825e4bfdb23a14e946769e1ed524426170813be

SHA256
6e2cc98528de2bd8a8b358600bfea57f009dde4ee59e321d58881e7b3cb85b07

SHA512
a8253f16e5ccc6e7f657349c7b5d1fabf85982a519b4c100da9fcabb9beed01ab1d9a6650716fe248155dd5965dcd32c8309e82b2312dedfcc9714dbfbf0f662

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
Filesize
87KB

MD5
01045c4a0bef0c7975314ef21e194aae

SHA1
a825e4bfdb23a14e946769e1ed524426170813be

SHA256
6e2cc98528de2bd8a8b358600bfea57f009dde4ee59e321d58881e7b3cb85b07

SHA512
a8253f16e5ccc6e7f657349c7b5d1fabf85982a519b4c100da9fcabb9beed01ab1d9a6650716fe248155dd5965dcd32c8309e82b2312dedfcc9714dbfbf0f662

Download Submit
memory/2960-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3640-138-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/3640-139-0x0000000002F10000-0x0000000006F10000-memory.dmp

Filesize
64.0MB

Download
memory/3640-137-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/3640-136-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/3640-132-0x0000000000000000-mapping.dmp

Download
memory/3640-145-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/4616-142-0x0000000075AE0000-0x0000000075B04000-memory.dmp

Filesize
144KB

Download
memory/4616-143-0x0000000075AE0000-0x0000000075B04000-memory.dmp

Filesize
144KB

Download
memory/4616-146-0x0000000075AE0000-0x0000000075B04000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads