1a5e8d79270112482106b5fb05fffa0e3c698e7824aa55eb7234362846cd7384

General

Target

NEAS.a171f5dba798998c17c7e3b32e03bc20.exe
Size

172KB
MD5

a171f5dba798998c17c7e3b32e03bc20
SHA1

a70fcb0aa70deab6e38ccc153016096cfa855cbe
SHA256

1a5e8d79270112482106b5fb05fffa0e3c698e7824aa55eb7234362846cd7384
SHA512

7789da87b352f0cdfb69eb178b23c02ec7f7871d4435550471f1ebfb3dd0fcdcb6f4b17d7864e5119182a52d72fa2fe347db76663d4a23b0f0f97b580b7f74e6
SSDEEP

3072:sNf3wRqQxKvxnsRcaCBL7TURxZPQeQ6DHtsamoBz:8PeyxTVTOZPQRIHrmoB

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	1ec01f74.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a0000000231e5-3.dat	aspack_v212_v242
behavioral2/files/0x000a0000000231e5-4.dat	aspack_v212_v242
behavioral2/files/0x0007000000023208-14.dat	aspack_v212_v242
behavioral2/files/0x0007000000023208-15.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
400	1ec01f74.exe

Loads dropped DLL 1 IoCs

pid	Process
4940	Svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a0000000231e5-3.dat	upx
behavioral2/memory/400-5-0x0000000000BB0000-0x0000000000BD4000-memory.dmp	upx
behavioral2/files/0x000a0000000231e5-4.dat	upx
behavioral2/memory/400-6-0x0000000000BB0000-0x0000000000BD4000-memory.dmp	upx
behavioral2/memory/400-7-0x0000000000BB0000-0x0000000000BD4000-memory.dmp	upx
behavioral2/files/0x0007000000023208-14.dat	upx
behavioral2/files/0x0007000000023208-15.dat	upx
behavioral2/memory/4940-17-0x0000000074D80000-0x0000000074DA4000-memory.dmp	upx
behavioral2/memory/4940-18-0x0000000074D80000-0x0000000074DA4000-memory.dmp	upx
behavioral2/memory/4940-21-0x0000000074D80000-0x0000000074DA4000-memory.dmp	upx
behavioral2/memory/400-20-0x0000000000BB0000-0x0000000000BD4000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\7A5C0A4C.tmp	1ec01f74.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	1ec01f74.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	1ec01f74.exe
400	1ec01f74.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4488	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4488	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 400	4488	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	86
PID 4488 wrote to memory of 400	4488	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	86
PID 4488 wrote to memory of 400	4488	NEAS.a171f5dba798998c17c7e3b32e03bc20.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.a171f5dba798998c17c7e3b32e03bc20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a171f5dba798998c17c7e3b32e03bc20.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4488
- C:\1ec01f74.exe
  C:\1ec01f74.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:400

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1ec01f74.exe

Filesize
81KB

MD5
9df97113d4fb0462ca99208668d6102a

SHA1
2b769b8615735bea0592c73b16ebab7baeedca98

SHA256
9b0fa329aa52f505162bcaeb1bb3ca4ecb1543ec4a9640d7fe8f9fab7668d974

SHA512
c2b9b619f608ec561a81fc5532a47d876f3a4b092babe8d2524c7055ba922f3d85ca9932698b692850d767884e0cdebce39838b5fea9cb6177645c5bb6867a6a

Download Submit
C:\1ec01f74.exe

Filesize
81KB

MD5
9df97113d4fb0462ca99208668d6102a

SHA1
2b769b8615735bea0592c73b16ebab7baeedca98

SHA256
9b0fa329aa52f505162bcaeb1bb3ca4ecb1543ec4a9640d7fe8f9fab7668d974

SHA512
c2b9b619f608ec561a81fc5532a47d876f3a4b092babe8d2524c7055ba922f3d85ca9932698b692850d767884e0cdebce39838b5fea9cb6177645c5bb6867a6a

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
c9cb558e70134be9aa37dd218aed3e4c

SHA1
78607d4b46bb9dba61c591c8b09591e281ca1731

SHA256
5d4338c23d16ca91ac3918d853ed97e415191ecb708a5ccc5352867baaae06a7

SHA512
60fc7047b11364c28cb75ea0ea333241490ca1b09d35ad70525339f30b1ac5394a9636f3efb5464531ceed165dae32cee3628b7eab3abddc95403c99ffedb7b7

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
81KB

MD5
85b9df4b276647aa1170e21b5ce580a5

SHA1
081d4d7f83660724cbe256401870d7a2310bda12

SHA256
3b282419c0747296c11ea4ba8b92b775378fdb553e60900b61c8902864e7efeb

SHA512
ab0d70323bc470f2620659fa9a790ff1bc21cbbca6a642880414bea303c53feaee8743526005d43ce136ce7812c4cd1f26a843bd9be822341f98d39dc37b20f5

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
81KB

MD5
85b9df4b276647aa1170e21b5ce580a5

SHA1
081d4d7f83660724cbe256401870d7a2310bda12

SHA256
3b282419c0747296c11ea4ba8b92b775378fdb553e60900b61c8902864e7efeb

SHA512
ab0d70323bc470f2620659fa9a790ff1bc21cbbca6a642880414bea303c53feaee8743526005d43ce136ce7812c4cd1f26a843bd9be822341f98d39dc37b20f5

Download Submit
memory/400-7-0x0000000000BB0000-0x0000000000BD4000-memory.dmp

Filesize
144KB

Download
memory/400-10-0x0000000077232000-0x0000000077233000-memory.dmp

Filesize
4KB

Download
memory/400-12-0x0000000075580000-0x00000000755A5000-memory.dmp

Filesize
148KB

Download
memory/400-6-0x0000000000BB0000-0x0000000000BD4000-memory.dmp

Filesize
144KB

Download
memory/400-5-0x0000000000BB0000-0x0000000000BD4000-memory.dmp

Filesize
144KB

Download
memory/400-20-0x0000000000BB0000-0x0000000000BD4000-memory.dmp

Filesize
144KB

Download
memory/400-22-0x0000000075580000-0x00000000755A5000-memory.dmp

Filesize
148KB

Download
memory/4488-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4488-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4940-17-0x0000000074D80000-0x0000000074DA4000-memory.dmp

Filesize
144KB

Download
memory/4940-18-0x0000000074D80000-0x0000000074DA4000-memory.dmp

Filesize
144KB

Download
memory/4940-21-0x0000000074D80000-0x0000000074DA4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads