ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f

General

Target

ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe
Size

258KB
MD5

9fe0a7b2b91bb533e97522c2ed49de25
SHA1

c8b50d4a5898ba52b673d3307a12b3ca0380ec80
SHA256

ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f
SHA512

fe798afad422c76b180cbf7434ba16d24d848b76353ad2d36d48660d8f8d6382eb48d59028c62f928460e1ed63e755a7970c31509fead4efc23addb07b041322
SSDEEP

6144:vYNKyTM5nSOEt5zpaiRhcuGE07v6+uMHWzIH:GTQ3wNxRhTKj6oHZ

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\6fd826f8.exe	aspack_v212_v242
C:\6fd826f8.exe	aspack_v212_v242
\Windows\SysWOW64\35F104C0.tmp	aspack_v212_v242
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	aspack_v212_v242
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

6fd826f8.exe

pid process

1728 6fd826f8.exe

pid	process
1728	6fd826f8.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6fd826f8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	6fd826f8.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\6fd826f8.exe	upx
behavioral1/memory/1728-58-0x00000000000C0000-0x0000000000107000-memory.dmp	upx
behavioral1/memory/1728-59-0x00000000000C0000-0x0000000000107000-memory.dmp	upx
C:\6fd826f8.exe	upx
\Windows\SysWOW64\35F104C0.tmp	upx
behavioral1/memory/1728-64-0x00000000000C0000-0x0000000000107000-memory.dmp	upx
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll	upx
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	upx
behavioral1/memory/1708-73-0x0000000074C70000-0x0000000074CB7000-memory.dmp	upx
behavioral1/memory/1708-72-0x0000000074C70000-0x0000000074CB7000-memory.dmp	upx
behavioral1/memory/1708-77-0x0000000074C70000-0x0000000074CB7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

6fd826f8.exeSvchost.exe

pid process

1728 6fd826f8.exe
1708 Svchost.exe

pid	process
1728	6fd826f8.exe
1708	Svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

6fd826f8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\35F104C0.tmp	6fd826f8.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	6fd826f8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6fd826f8.exe

pid process

1728 6fd826f8.exe

pid	process
1728	6fd826f8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe

description	pid	process	target process
PID 1848 wrote to memory of 1728	1848	ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe	6fd826f8.exe
PID 1848 wrote to memory of 1728	1848	ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe	6fd826f8.exe
PID 1848 wrote to memory of 1728	1848	ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe	6fd826f8.exe
PID 1848 wrote to memory of 1728	1848	ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe	6fd826f8.exe

C:\Users\Admin\AppData\Local\Temp\ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe
"C:\Users\Admin\AppData\Local\Temp\ac54f880c52452a9defe3bf76fbe6e0f8c4e19d4118df667a9b1a4fd6873cc2f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\6fd826f8.exe
C:\6fd826f8.exe
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\6fd826f8.exe
Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\6fd826f8.exe
Filesize
221KB

MD5
b3d1699bac5f4682cda6ca7676f8d333

SHA1
009fae507bc8b45b2a6e4f6e3753f60c96d3d692

SHA256
62e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218

SHA512
1a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571

Download Submit
C:\Users\Infotmp.txt
Filesize
724B

MD5
259b0f0c604df7babdd3f77933354e02

SHA1
549af48b6679da18a2735015d9ddccc791b62e65

SHA256
4d345365c563e313d779a141652c6934267fd8dcfbc8bd026d53cdccbe127041

SHA512
9c79591fe0f8fae1acf194b5b359ad6e440454d20c97d4c31988776119cc210578ccc0e6f3a96ac856c4fc1cef1b17494f158abd66e7d249a09b8bf4952f3d6c

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll
Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\35F104C0.tmp
Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll
Filesize
221KB

MD5
0669d63a75b1858b346fc2e650ab3e48

SHA1
52529e1ebebdd2d3c447f6044f64639e517d9ef4

SHA256
e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e

SHA512
af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8

Download Submit
memory/1708-73-0x0000000074C70000-0x0000000074CB7000-memory.dmp

Filesize
284KB

Download
memory/1708-77-0x0000000074C70000-0x0000000074CB7000-memory.dmp

Filesize
284KB

Download
memory/1708-72-0x0000000074C70000-0x0000000074CB7000-memory.dmp

Filesize
284KB

Download
memory/1728-58-0x00000000000C0000-0x0000000000107000-memory.dmp

Filesize
284KB

Download
memory/1728-65-0x00000000020B0000-0x00000000060B0000-memory.dmp

Filesize
64.0MB

Download
memory/1728-66-0x0000000075E30000-0x0000000075E90000-memory.dmp

Filesize
384KB

Download
memory/1728-67-0x0000000074C80000-0x0000000074CC7000-memory.dmp

Filesize
284KB

Download
memory/1728-68-0x00000000020B0000-0x00000000060B0000-memory.dmp

Filesize
64.0MB

Download
memory/1728-59-0x00000000000C0000-0x0000000000107000-memory.dmp

Filesize
284KB

Download
memory/1728-64-0x00000000000C0000-0x0000000000107000-memory.dmp

Filesize
284KB

Download
memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/1728-76-0x0000000075E30000-0x0000000075E90000-memory.dmp

Filesize
384KB

Download
memory/1848-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1848-63-0x0000000000390000-0x00000000003D7000-memory.dmp

Filesize
284KB

Download
memory/1848-62-0x0000000000A80000-0x0000000000AC4000-memory.dmp

Filesize
272KB

Download
memory/1848-75-0x0000000000A80000-0x0000000000AC4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads