aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec

General

Target

aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe
Size

116KB
MD5

cb539cb4c764b85dcfcf601f0771c9b0
SHA1

fd8987c4b046c27d2ebc5210205091a773511c94
SHA256

aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec
SHA512

6f372b15be2d5a9953f1e666f20c49eb3e2cd08e77583214f1bcd6614b84b464f37ae73d3ddfd1ac8692b8c79d1cdd174c96c90b6f4133978adfa603b3467a2c
SSDEEP

3072:Q3vO/o6pD5wHG+3NTEtjhvse14NocXr3hH:ivAp+m+3SRhvsekJzh

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000122f0-56.dat	aspack_v212_v242
behavioral1/files/0x000b0000000122f0-58.dat	aspack_v212_v242
behavioral1/files/0x00080000000122f8-65.dat	aspack_v212_v242
behavioral1/files/0x00090000000122f5-70.dat	aspack_v212_v242
behavioral1/files/0x00090000000122f5-69.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1516	17f65b10.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	17f65b10.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122f0-56.dat	upx
behavioral1/files/0x000b0000000122f0-58.dat	upx
behavioral1/memory/1516-59-0x0000000001140000-0x0000000001164000-memory.dmp	upx
behavioral1/memory/1516-60-0x0000000001140000-0x0000000001164000-memory.dmp	upx
behavioral1/memory/1516-64-0x0000000001140000-0x0000000001164000-memory.dmp	upx
behavioral1/files/0x00080000000122f8-65.dat	upx
behavioral1/files/0x00090000000122f5-70.dat	upx
behavioral1/files/0x00090000000122f5-69.dat	upx
behavioral1/memory/680-72-0x0000000074E90000-0x0000000074EB4000-memory.dmp	upx
behavioral1/memory/680-73-0x0000000074E90000-0x0000000074EB4000-memory.dmp	upx
behavioral1/memory/680-75-0x0000000074E90000-0x0000000074EB4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1516	17f65b10.exe
680	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\26B904F8.tmp	17f65b10.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	17f65b10.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1516	17f65b10.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28
PID 1620 wrote to memory of 1516	1620	aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe	28

C:\Users\Admin\AppData\Local\Temp\aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe
"C:\Users\Admin\AppData\Local\Temp\aa7a6630002e2c4f5eba2c6979df8b18b29c76b9bddcf852491259867011c7ec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\17f65b10.exe
  C:\17f65b10.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1516

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\17f65b10.exe

Filesize
80KB

MD5
fdb7dc60ac5e81267e7540adb23bc463

SHA1
eb3d3fb86b9bc15c541e183d9f061c70e8a1f3a9

SHA256
677a42497a103e535b2dbf5c376c4e0ff444eaadc9cb31d41f0926df5d44995e

SHA512
242e80e3ec1c45104868fba0259837ef059c90bd1454bdaa21d3cab5241639758e9f4b1f3fa452643f59a84eb849c6790b5abf726fc5fa524c5b410a945aef10

Download Submit
C:\17f65b10.exe

Filesize
80KB

MD5
fdb7dc60ac5e81267e7540adb23bc463

SHA1
eb3d3fb86b9bc15c541e183d9f061c70e8a1f3a9

SHA256
677a42497a103e535b2dbf5c376c4e0ff444eaadc9cb31d41f0926df5d44995e

SHA512
242e80e3ec1c45104868fba0259837ef059c90bd1454bdaa21d3cab5241639758e9f4b1f3fa452643f59a84eb849c6790b5abf726fc5fa524c5b410a945aef10

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
7eeb3b6e3fdbbd8444f385925686c995

SHA1
0593cdd12f0eaee4f4f18d0d6957c5acacad074d

SHA256
dc6df1b518a948274385e2b4fe5f210edd60da09372451579afec7caf2ddec34

SHA512
4adecc619eccbd8fe988d4564d43319d5f2774f19039d31629557740f365e0c79c0e7d9fd37ff941d5d4772e4c950b80ee856d27760112346010883d7b3312fa

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
80KB

MD5
f92f274dbf12151c255de99395d7a308

SHA1
2ccaf0f081096d51a3d7aa7ed03e8b39126bca39

SHA256
3b9d679a8c004e28cb8365604074bae2020f77250f6a20105ea89115e29b23a4

SHA512
f9ff07f53957068bf4ed07df98451ba6f2a3cafd1ddb33e5fb4ef9ce4a22e9224f13373a685b8c36b179886e81b158f0e00e65cd109cd927c94afe2661a7d7ae

Download Submit
\Windows\SysWOW64\26B904F8.tmp

Filesize
80KB

MD5
f92f274dbf12151c255de99395d7a308

SHA1
2ccaf0f081096d51a3d7aa7ed03e8b39126bca39

SHA256
3b9d679a8c004e28cb8365604074bae2020f77250f6a20105ea89115e29b23a4

SHA512
f9ff07f53957068bf4ed07df98451ba6f2a3cafd1ddb33e5fb4ef9ce4a22e9224f13373a685b8c36b179886e81b158f0e00e65cd109cd927c94afe2661a7d7ae

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
80KB

MD5
f92f274dbf12151c255de99395d7a308

SHA1
2ccaf0f081096d51a3d7aa7ed03e8b39126bca39

SHA256
3b9d679a8c004e28cb8365604074bae2020f77250f6a20105ea89115e29b23a4

SHA512
f9ff07f53957068bf4ed07df98451ba6f2a3cafd1ddb33e5fb4ef9ce4a22e9224f13373a685b8c36b179886e81b158f0e00e65cd109cd927c94afe2661a7d7ae

Download Submit
memory/680-75-0x0000000074E90000-0x0000000074EB4000-memory.dmp

Filesize
144KB

Download
memory/680-73-0x0000000074E90000-0x0000000074EB4000-memory.dmp

Filesize
144KB

Download
memory/680-72-0x0000000074E90000-0x0000000074EB4000-memory.dmp

Filesize
144KB

Download
memory/1516-66-0x0000000002570000-0x0000000006570000-memory.dmp

Filesize
64.0MB

Download
memory/1516-67-0x0000000075AB0000-0x0000000075B10000-memory.dmp

Filesize
384KB

Download
memory/1516-68-0x0000000002570000-0x0000000006570000-memory.dmp

Filesize
64.0MB

Download
memory/1516-59-0x0000000001140000-0x0000000001164000-memory.dmp

Filesize
144KB

Download
memory/1516-64-0x0000000001140000-0x0000000001164000-memory.dmp

Filesize
144KB

Download
memory/1516-60-0x0000000001140000-0x0000000001164000-memory.dmp

Filesize
144KB

Download
memory/1516-76-0x0000000075AB0000-0x0000000075B10000-memory.dmp

Filesize
384KB

Download
memory/1620-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1620-63-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/1620-62-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/1620-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing