1a5e8d79270112482106b5fb05fffa0e3c698e7824aa55eb7234362846cd7384

General

Target

NEAS.a171f5dba798998c17c7e3b32e03bc20.exe
Size

172KB
MD5

a171f5dba798998c17c7e3b32e03bc20
SHA1

a70fcb0aa70deab6e38ccc153016096cfa855cbe
SHA256

1a5e8d79270112482106b5fb05fffa0e3c698e7824aa55eb7234362846cd7384
SHA512

7789da87b352f0cdfb69eb178b23c02ec7f7871d4435550471f1ebfb3dd0fcdcb6f4b17d7864e5119182a52d72fa2fe347db76663d4a23b0f0f97b580b7f74e6
SSDEEP

3072:sNf3wRqQxKvxnsRcaCBL7TURxZPQeQ6DHtsamoBz:8PeyxTVTOZPQRIHrmoB

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	1ec01f74.exe

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b000000012283-6.dat	aspack_v212_v242
behavioral1/files/0x000b000000012283-8.dat	aspack_v212_v242
behavioral1/files/0x000b000000012283-13.dat	aspack_v212_v242
behavioral1/files/0x0018000000016c13-18.dat	aspack_v212_v242
behavioral1/files/0x0009000000016c76-23.dat	aspack_v212_v242
behavioral1/files/0x0009000000016c76-24.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2988	1ec01f74.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	1ec01f74.exe
2592	Svchost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2824-3-0x0000000000160000-0x0000000000184000-memory.dmp	upx
behavioral1/files/0x000b000000012283-6.dat	upx
behavioral1/files/0x000b000000012283-8.dat	upx
behavioral1/memory/2988-9-0x00000000009A0000-0x00000000009C4000-memory.dmp	upx
behavioral1/memory/2988-11-0x00000000009A0000-0x00000000009C4000-memory.dmp	upx
behavioral1/memory/2988-10-0x00000000009A0000-0x00000000009C4000-memory.dmp	upx
behavioral1/files/0x000b000000012283-13.dat	upx
behavioral1/files/0x0018000000016c13-18.dat	upx
behavioral1/memory/2988-21-0x00000000009A0000-0x00000000009C4000-memory.dmp	upx
behavioral1/files/0x0009000000016c76-23.dat	upx
behavioral1/files/0x0009000000016c76-24.dat	upx
behavioral1/memory/2592-26-0x0000000074A60000-0x0000000074A84000-memory.dmp	upx
behavioral1/memory/2592-28-0x0000000074A60000-0x0000000074A84000-memory.dmp	upx
behavioral1/memory/2592-30-0x0000000074A60000-0x0000000074A84000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\733304A4.tmp	1ec01f74.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	1ec01f74.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	1ec01f74.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2824	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2988	2824	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	28
PID 2824 wrote to memory of 2988	2824	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	28
PID 2824 wrote to memory of 2988	2824	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	28
PID 2824 wrote to memory of 2988	2824	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.a171f5dba798998c17c7e3b32e03bc20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a171f5dba798998c17c7e3b32e03bc20.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824
- C:\1ec01f74.exe
  C:\1ec01f74.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1ec01f74.exe

Filesize
81KB

MD5
9df97113d4fb0462ca99208668d6102a

SHA1
2b769b8615735bea0592c73b16ebab7baeedca98

SHA256
9b0fa329aa52f505162bcaeb1bb3ca4ecb1543ec4a9640d7fe8f9fab7668d974

SHA512
c2b9b619f608ec561a81fc5532a47d876f3a4b092babe8d2524c7055ba922f3d85ca9932698b692850d767884e0cdebce39838b5fea9cb6177645c5bb6867a6a

Download Submit
C:\1ec01f74.exe

Filesize
81KB

MD5
9df97113d4fb0462ca99208668d6102a

SHA1
2b769b8615735bea0592c73b16ebab7baeedca98

SHA256
9b0fa329aa52f505162bcaeb1bb3ca4ecb1543ec4a9640d7fe8f9fab7668d974

SHA512
c2b9b619f608ec561a81fc5532a47d876f3a4b092babe8d2524c7055ba922f3d85ca9932698b692850d767884e0cdebce39838b5fea9cb6177645c5bb6867a6a

Download Submit
C:\1ec01f74.exe

Filesize
81KB

MD5
9df97113d4fb0462ca99208668d6102a

SHA1
2b769b8615735bea0592c73b16ebab7baeedca98

SHA256
9b0fa329aa52f505162bcaeb1bb3ca4ecb1543ec4a9640d7fe8f9fab7668d974

SHA512
c2b9b619f608ec561a81fc5532a47d876f3a4b092babe8d2524c7055ba922f3d85ca9932698b692850d767884e0cdebce39838b5fea9cb6177645c5bb6867a6a

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
32c5426034640e5e2a9c5242b0f91d1a

SHA1
d3a36389bf9934ac0d568bea09de8df904f337e7

SHA256
968e4be7a43f4043fc35f2381b69e2de209bf53e8ea6977552541f80e43dd079

SHA512
2e2f00f0f5bd3b978ad88e1ee8a49747e3dd2a35c29aa9f68e8259ecce05b7344c1a8bf73d31a6464537b10aa30c9d6bb3851c8be9362d70a896c313da2cdc70

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
81KB

MD5
85b9df4b276647aa1170e21b5ce580a5

SHA1
081d4d7f83660724cbe256401870d7a2310bda12

SHA256
3b282419c0747296c11ea4ba8b92b775378fdb553e60900b61c8902864e7efeb

SHA512
ab0d70323bc470f2620659fa9a790ff1bc21cbbca6a642880414bea303c53feaee8743526005d43ce136ce7812c4cd1f26a843bd9be822341f98d39dc37b20f5

Download Submit
\Windows\SysWOW64\733304A4.tmp

Filesize
81KB

MD5
85b9df4b276647aa1170e21b5ce580a5

SHA1
081d4d7f83660724cbe256401870d7a2310bda12

SHA256
3b282419c0747296c11ea4ba8b92b775378fdb553e60900b61c8902864e7efeb

SHA512
ab0d70323bc470f2620659fa9a790ff1bc21cbbca6a642880414bea303c53feaee8743526005d43ce136ce7812c4cd1f26a843bd9be822341f98d39dc37b20f5

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
81KB

MD5
85b9df4b276647aa1170e21b5ce580a5

SHA1
081d4d7f83660724cbe256401870d7a2310bda12

SHA256
3b282419c0747296c11ea4ba8b92b775378fdb553e60900b61c8902864e7efeb

SHA512
ab0d70323bc470f2620659fa9a790ff1bc21cbbca6a642880414bea303c53feaee8743526005d43ce136ce7812c4cd1f26a843bd9be822341f98d39dc37b20f5

Download Submit
memory/2592-30-0x0000000074A60000-0x0000000074A84000-memory.dmp

Filesize
144KB

Download
memory/2592-28-0x0000000074A60000-0x0000000074A84000-memory.dmp

Filesize
144KB

Download
memory/2592-26-0x0000000074A60000-0x0000000074A84000-memory.dmp

Filesize
144KB

Download
memory/2824-7-0x0000000000160000-0x0000000000184000-memory.dmp

Filesize
144KB

Download
memory/2824-33-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2824-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2824-3-0x0000000000160000-0x0000000000184000-memory.dmp

Filesize
144KB

Download
memory/2824-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2988-16-0x00000000773CF000-0x00000000773D0000-memory.dmp

Filesize
4KB

Download
memory/2988-21-0x00000000009A0000-0x00000000009C4000-memory.dmp

Filesize
144KB

Download
memory/2988-20-0x0000000074A60000-0x0000000074A84000-memory.dmp

Filesize
144KB

Download
memory/2988-17-0x00000000751B0000-0x0000000075210000-memory.dmp

Filesize
384KB

Download
memory/2988-11-0x00000000009A0000-0x00000000009C4000-memory.dmp

Filesize
144KB

Download
memory/2988-25-0x00000000773CF000-0x00000000773D0000-memory.dmp

Filesize
4KB

Download
memory/2988-9-0x00000000009A0000-0x00000000009C4000-memory.dmp

Filesize
144KB

Download
memory/2988-32-0x00000000751B0000-0x0000000075210000-memory.dmp

Filesize
384KB

Download
memory/2988-10-0x00000000009A0000-0x00000000009C4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads