c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c

General

Target

c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe
Size

224KB
MD5

903a2aeada691ec02f533e4e1b2b120a
SHA1

50babdd09a4b1ed077ca532a4bda641ae5b9d3b8
SHA256

c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c
SHA512

2cb8772599afe3a82f23c5c4fa741511c1153a80dd8efeeef88c0b6de3006e9a0b444aa76dbd57060c5c638817911ba5576ee43e14a6ceb535ba1f4816fbac44
SSDEEP

6144:sriIXJz6FHoOrVXl7HWrE+icB8aa36OCwb7eEk8vEE+M1e9:XIZzmjXVHGbKaW60b7eX8vE

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000013aad-58.dat	aspack_v212_v242
behavioral1/files/0x0009000000013922-62.dat	aspack_v212_v242
behavioral1/files/0x0009000000013922-63.dat	aspack_v212_v242

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/364-55-0x00000000001B0000-0x00000000001F8000-memory.dmp	upx
behavioral1/memory/364-56-0x00000000001B0000-0x00000000001F8000-memory.dmp	upx
behavioral1/memory/364-57-0x00000000001B0000-0x00000000001F8000-memory.dmp	upx
behavioral1/files/0x0008000000013aad-58.dat	upx
behavioral1/files/0x0009000000013922-62.dat	upx
behavioral1/files/0x0009000000013922-63.dat	upx
behavioral1/memory/1860-65-0x0000000074B20000-0x0000000074B68000-memory.dmp	upx
behavioral1/memory/1860-66-0x0000000074B20000-0x0000000074B68000-memory.dmp	upx
behavioral1/memory/1860-69-0x0000000074B20000-0x0000000074B68000-memory.dmp	upx
behavioral1/memory/364-68-0x00000000001B0000-0x00000000001F8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
364	c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe
1860	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe
File opened for modification	C:\Windows\SysWOW64\2C4A054C.tmp	c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
364	c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe

C:\Users\Admin\AppData\Local\Temp\c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe
"C:\Users\Admin\AppData\Local\Temp\c0e415b1d15ac0b514be803c1e43c85dc650124a05d7ccc463cc9dd475c7c80c.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Infotmp.txt

Filesize
724B

MD5
b5413494bca58f576f989746a450ed41

SHA1
e1829e329725768802a545ff91e4723219f0e039

SHA256
3b5f859e39a5ee38aeaf1092abfae4a2c994f06ab6d15968fdba141fbf3cb3ee

SHA512
a10d762d064be23f3d1d44945380c23456355adbb01bb54dfeba87963c24a71af81661481632b953d6d905b7cf57063136460715b2cf961e4c8f7097239ab592

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
224KB

MD5
7e84e98a76b80ff951166059f976e62a

SHA1
6335f7a855f218561530fded8f7f8cef2b4ab9b1

SHA256
aea27ffd55fe32089c2d88d98d21d784831c341f7eda79bf628575029e2b5415

SHA512
057708f5b7a99d73b40771f7adb3b6fd873cd47ba4eb13d10b5907d2464432a54cb7f70525b055cba2568318cebf073ea08c1e162334dff7d5a995d0ce8823d1

Download Submit
\Windows\SysWOW64\2C4A054C.tmp

Filesize
224KB

MD5
7e84e98a76b80ff951166059f976e62a

SHA1
6335f7a855f218561530fded8f7f8cef2b4ab9b1

SHA256
aea27ffd55fe32089c2d88d98d21d784831c341f7eda79bf628575029e2b5415

SHA512
057708f5b7a99d73b40771f7adb3b6fd873cd47ba4eb13d10b5907d2464432a54cb7f70525b055cba2568318cebf073ea08c1e162334dff7d5a995d0ce8823d1

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
224KB

MD5
7e84e98a76b80ff951166059f976e62a

SHA1
6335f7a855f218561530fded8f7f8cef2b4ab9b1

SHA256
aea27ffd55fe32089c2d88d98d21d784831c341f7eda79bf628575029e2b5415

SHA512
057708f5b7a99d73b40771f7adb3b6fd873cd47ba4eb13d10b5907d2464432a54cb7f70525b055cba2568318cebf073ea08c1e162334dff7d5a995d0ce8823d1

Download Submit
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-59-0x0000000001E10000-0x0000000005E10000-memory.dmp

Filesize
64.0MB

Download
memory/364-60-0x0000000076010000-0x0000000076070000-memory.dmp

Filesize
384KB

Download
memory/364-56-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/364-61-0x0000000074B20000-0x0000000074B68000-memory.dmp

Filesize
288KB

Download
memory/364-57-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/364-55-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/364-68-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/364-70-0x0000000076010000-0x0000000076070000-memory.dmp

Filesize
384KB

Download
memory/1860-66-0x0000000074B20000-0x0000000074B68000-memory.dmp

Filesize
288KB

Download
memory/1860-65-0x0000000074B20000-0x0000000074B68000-memory.dmp

Filesize
288KB

Download
memory/1860-69-0x0000000074B20000-0x0000000074B68000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing