eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c

Analysis

max time kernel
43s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe
Size

131KB
MD5

457354cae8acc12ae71b7e19010d26e9
SHA1

4c4e185b7a1e20e4bfe38bf6971974aa710eba24
SHA256

eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c
SHA512

e6e603054bf96ea9e3a1f0a155da92ab312b9c3796d6c8be4b7e178e7c02592cc1d522268fd29380eed8da3a19f7768166ad71df371dc0df76d7e3f17674622d
SSDEEP

3072:/AmLy0wUNGbU7Y2xBRYEmq9TMLRuRSWjbdCi:hBeC9TMtuRRxR

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012318-55.dat	upx
behavioral1/memory/1500-56-0x0000000000830000-0x0000000000854000-memory.dmp	upx
behavioral1/files/0x000a000000012304-59.dat	upx
behavioral1/files/0x000a000000012304-60.dat	upx
behavioral1/memory/572-63-0x0000000074AF0000-0x0000000074B14000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1500	eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe
572	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\35D40540.tmp	eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1500	eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe

C:\Users\Admin\AppData\Local\Temp\eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe
"C:\Users\Admin\AppData\Local\Temp\eadb874ad5c60d75be1f7338a3ae2b235654427bae966fa75ce7d14e8c19813c.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Infotmp.txt

Filesize
720B

MD5
5c12dd5d0a86285ae720220157b15abd

SHA1
7db9fe6595e734f67716c035c1dfdc03a15d9e90

SHA256
470dd613eaa9c253611c1562eb198743346c41da9a5a9a488d99909effb40cdc

SHA512
c05279ea18468018064d4acd7fe60d6354cc8c5a7df8c56ea6207e9684ae94eaf8123313eafeb7412820267d887b1b1878bd5406cd15348a5e416df0f211cd90

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
131KB

MD5
e65a60219e9c64253794f51c97850ef8

SHA1
502f60766e8b4de8f7e6f01fca29292bea6babeb

SHA256
3b38d8636bb8a48e4c9cd103f959ac4555e3e1762100827e4e6c70e63fe9f849

SHA512
f1394507022b0de5c8c934b76127306fd3bdf0b65abc273a1e6a29714f8f1dc1379faec02f6b838282fdc82d9b9b6b728692ae3f1e466db8e903cdb133e88132

Download Submit
\Windows\SysWOW64\35D40540.tmp

Filesize
131KB

MD5
e65a60219e9c64253794f51c97850ef8

SHA1
502f60766e8b4de8f7e6f01fca29292bea6babeb

SHA256
3b38d8636bb8a48e4c9cd103f959ac4555e3e1762100827e4e6c70e63fe9f849

SHA512
f1394507022b0de5c8c934b76127306fd3bdf0b65abc273a1e6a29714f8f1dc1379faec02f6b838282fdc82d9b9b6b728692ae3f1e466db8e903cdb133e88132

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
131KB

MD5
e65a60219e9c64253794f51c97850ef8

SHA1
502f60766e8b4de8f7e6f01fca29292bea6babeb

SHA256
3b38d8636bb8a48e4c9cd103f959ac4555e3e1762100827e4e6c70e63fe9f849

SHA512
f1394507022b0de5c8c934b76127306fd3bdf0b65abc273a1e6a29714f8f1dc1379faec02f6b838282fdc82d9b9b6b728692ae3f1e466db8e903cdb133e88132

Download Submit
memory/572-63-0x0000000074AF0000-0x0000000074B14000-memory.dmp

Filesize
144KB

Download
memory/1500-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1500-56-0x0000000000830000-0x0000000000854000-memory.dmp

Filesize
144KB

Download
memory/1500-57-0x0000000001FE0000-0x0000000005FE0000-memory.dmp

Filesize
64.0MB

Download
memory/1500-58-0x0000000076C60000-0x0000000076CC0000-memory.dmp

Filesize
384KB

Download
memory/1500-64-0x0000000076C60000-0x0000000076CC0000-memory.dmp

Filesize
384KB

Download