7ed6a448d0dfb0257f4edb80393d25c771302157280d5895ed5df7b7584709ae

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	643201ca1a12ab1b96b3ad5ed440f3cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Reg Services = "C:\\Windows\\system32\\ffservice.exe"	643201ca1a12ab1b96b3ad5ed440f3cb.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{a75aed00-d7bf-11d1-9947-00c0Cf98bbc9}\StubPath = "C:\\Windows\\system32\\lservice.exe"	643201ca1a12ab1b96b3ad5ed440f3cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{a75aed00-d7bf-11d1-9947-00c0Cf98bbc9}	643201ca1a12ab1b96b3ad5ed440f3cb.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x0000000000413000-memory.dmp	aspack_v212_v242
behavioral1/files/0x0031000000016caa-5.dat	aspack_v212_v242
behavioral1/memory/2172-11-0x00000000003A0000-0x00000000003B3000-memory.dmp	aspack_v212_v242
behavioral1/memory/2172-18-0x0000000000400000-0x0000000000413000-memory.dmp	aspack_v212_v242
behavioral1/memory/3032-19-0x0000000000400000-0x0000000000413000-memory.dmp	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3032	wservice.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe
2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Reg Services = "C:\\Windows\\system32\\ffservice.exe"	643201ca1a12ab1b96b3ad5ed440f3cb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Reg Services = "C:\\Windows\\system32\\ffservice.exe"	643201ca1a12ab1b96b3ad5ed440f3cb.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wservice.exe	643201ca1a12ab1b96b3ad5ed440f3cb.exe
File created	C:\Windows\SysWOW64\lservice.exe	643201ca1a12ab1b96b3ad5ed440f3cb.exe
File opened for modification	C:\Windows\SysWOW64\lservice.exe	643201ca1a12ab1b96b3ad5ed440f3cb.exe
File created	C:\Windows\SysWOW64\ffservice.exe	643201ca1a12ab1b96b3ad5ed440f3cb.exe
File opened for modification	C:\Windows\SysWOW64\ffservice.exe	643201ca1a12ab1b96b3ad5ed440f3cb.exe
File created	C:\Windows\SysWOW64\wservice.exe	643201ca1a12ab1b96b3ad5ed440f3cb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3032	2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe	28
PID 2172 wrote to memory of 3032	2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe	28
PID 2172 wrote to memory of 3032	2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe	28
PID 2172 wrote to memory of 3032	2172	643201ca1a12ab1b96b3ad5ed440f3cb.exe	28

C:\Users\Admin\AppData\Local\Temp\643201ca1a12ab1b96b3ad5ed440f3cb.exe
"C:\Users\Admin\AppData\Local\Temp\643201ca1a12ab1b96b3ad5ed440f3cb.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\wservice.exe
  C:\Windows\system32\wservice.exe -s
  2⤵
  - Executes dropped EXE
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry