17240c11b5d3a7e72a83e17700991de77a9e80c17245f12935ad7185ae035bff

General

Target

77d2dac8adc2170b5dbb6cb81da39484.exe
Size

624KB
MD5

77d2dac8adc2170b5dbb6cb81da39484
SHA1

4dcbcb676a3941fd5c712289d61f5d24c0a540b3
SHA256

17240c11b5d3a7e72a83e17700991de77a9e80c17245f12935ad7185ae035bff
SHA512

53e8f9c3dc53da6e8683df568a0c7290f56c0c1acd75bf82ad8ccc5aec3fda279846f4d786711b4e2941f41d71aad7adf48cee0e6a1efb3083ac122f57497bc2
SSDEEP

12288:aRF6tTn/4hkFS8l8UprDFxQtfQe1FgXAtfND9wPGNh5:xtT/4mgu5CtfPFgXifNDWPu

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	21.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000015608-32.dat	aspack_v212_v242
behavioral1/files/0x000a000000014615-28.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2896	21.exe
2704	QvodSetup5.exe

Loads dropped DLL 8 IoCs

pid	Process
1948	77d2dac8adc2170b5dbb6cb81da39484.exe
1948	77d2dac8adc2170b5dbb6cb81da39484.exe
1948	77d2dac8adc2170b5dbb6cb81da39484.exe
2704	QvodSetup5.exe
2704	QvodSetup5.exe
2704	QvodSetup5.exe
2896	21.exe
2776	Svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015608-32.dat	upx
behavioral1/files/0x000a000000014615-28.dat	upx
behavioral1/files/0x0036000000014ad2-24.dat	upx
behavioral1/memory/2896-18-0x0000000000330000-0x0000000000357000-memory.dmp	upx
behavioral1/memory/2896-16-0x0000000000330000-0x0000000000357000-memory.dmp	upx
behavioral1/memory/2896-15-0x0000000000330000-0x0000000000357000-memory.dmp	upx
behavioral1/memory/2776-39-0x0000000073D10000-0x0000000073D37000-memory.dmp	upx
behavioral1/memory/2776-40-0x0000000073D10000-0x0000000073D37000-memory.dmp	upx
behavioral1/memory/2776-42-0x0000000073D10000-0x0000000073D37000-memory.dmp	upx
behavioral1/memory/2896-43-0x0000000000330000-0x0000000000357000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	21.exe
File opened for modification	C:\Windows\SysWOW64\41C004C4.tmp	21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	77d2dac8adc2170b5dbb6cb81da39484.exe
2896	21.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2704	QvodSetup5.exe
2704	QvodSetup5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2704	QvodSetup5.exe
2704	QvodSetup5.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2896	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	2
PID 1948 wrote to memory of 2896	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	2
PID 1948 wrote to memory of 2896	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	2
PID 1948 wrote to memory of 2896	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	2
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1
PID 1948 wrote to memory of 2704	1948	77d2dac8adc2170b5dbb6cb81da39484.exe	1

C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Users\Admin\AppData\Local\Temp\Temp\21.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\21.exe"
1⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Users\Admin\AppData\Local\Temp\77d2dac8adc2170b5dbb6cb81da39484.exe
"C:\Users\Admin\AppData\Local\Temp\77d2dac8adc2170b5dbb6cb81da39484.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\21.exe

Filesize
84KB

MD5
253f2fde80632a83581804a7b738657f

SHA1
412a963725ba924c310b5775698b372c6f0cfaaf

SHA256
310b8d3c80bc61371837c57c00a74cd263263f0f519faa713154e0da454dd88d

SHA512
62750357b04c25dda8a9a6d99ee885d6316691ad67e108093b524edc98b612a207ce9be92136c08a550073171590d97f646be868a10f42f744a56e4e0fff3327

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
929cf32f2fabfeda68f01488848dec0e

SHA1
3b1b74a4a4cd367f7622e374f5fe0a9f73cbcf88

SHA256
010dd4b6e4cc0a875820a8cd168c5088cc78ac21cbdc3914bb03fc689e5b7118

SHA512
0b7e6c61b161cc752b49f35d0b7f2aee51c8d25fea13f0b9d03f0dc76b52a24f70e4f49865939bcb1e745a36d3d36d8238a2d77a57816cb30916d70ffa37ce7e

Download Submit
\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe

Filesize
520KB

MD5
93e466074cb7d1833dd8f8f37dd85aed

SHA1
c573a442d165bac4bfd5b15d4e1e88060c916fb5

SHA256
b2da1f5a555d7e7f6d787e729628e95c858cc6112a5073680062f3b066352e28

SHA512
d3b1a121658cefa0ab19e9bc13e430b877f697622c1c3ac392b5040bc7687a292e0097ec4d8c32cef4834bdd452cd8f9997ede9cbd1cd252dc24af92898e592b

Download Submit
\Windows\SysWOW64\41C004C4.tmp

Filesize
84KB

MD5
e5e4662d1ffb37f096d5d1200f989023

SHA1
da32d3a6867e42c3e03f5b20c4479d1b96920a88

SHA256
4c6f69d3188dddae6726596b4769344f57a024529311eb7d27898203a7aa9cdd

SHA512
d9889e26843d787615515148f7b85877c5b33cd8b65bd16ba6ce953aa9aaa540201e37e08e16d1176a09d75a33bdc169f0d2610b45f9120394823be4a7664472

Download Submit
memory/1948-12-0x0000000002290000-0x00000000022B7000-memory.dmp

Filesize
156KB

Download
memory/1948-10-0x0000000002290000-0x00000000022B7000-memory.dmp

Filesize
156KB

Download
memory/2776-40-0x0000000073D10000-0x0000000073D37000-memory.dmp

Filesize
156KB

Download
memory/2776-39-0x0000000073D10000-0x0000000073D37000-memory.dmp

Filesize
156KB

Download
memory/2776-42-0x0000000073D10000-0x0000000073D37000-memory.dmp

Filesize
156KB

Download
memory/2896-15-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2896-16-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2896-43-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2896-18-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2896-44-0x0000000076600000-0x0000000076660000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads