17240c11b5d3a7e72a83e17700991de77a9e80c17245f12935ad7185ae035bff

General

Target

77d2dac8adc2170b5dbb6cb81da39484.exe
Size

624KB
MD5

77d2dac8adc2170b5dbb6cb81da39484
SHA1

4dcbcb676a3941fd5c712289d61f5d24c0a540b3
SHA256

17240c11b5d3a7e72a83e17700991de77a9e80c17245f12935ad7185ae035bff
SHA512

53e8f9c3dc53da6e8683df568a0c7290f56c0c1acd75bf82ad8ccc5aec3fda279846f4d786711b4e2941f41d71aad7adf48cee0e6a1efb3083ac122f57497bc2
SSDEEP

12288:aRF6tTn/4hkFS8l8UprDFxQtfQe1FgXAtfND9wPGNh5:xtT/4mgu5CtfPFgXifNDWPu

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	21.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023214-5.dat	aspack_v212_v242
behavioral2/files/0x0003000000022765-37.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	77d2dac8adc2170b5dbb6cb81da39484.exe

Executes dropped EXE 2 IoCs

pid	Process
4528	21.exe
3260	QvodSetup5.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	Svchost.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023214-5.dat	upx
behavioral2/memory/4528-11-0x0000000000450000-0x0000000000477000-memory.dmp	upx
behavioral2/files/0x0006000000023215-13.dat	upx
behavioral2/memory/4528-21-0x0000000000450000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3260-22-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/4528-17-0x0000000000450000-0x0000000000477000-memory.dmp	upx
behavioral2/files/0x0003000000022765-37.dat	upx
behavioral2/memory/3040-40-0x0000000074640000-0x0000000074667000-memory.dmp	upx
behavioral2/memory/3040-39-0x0000000074640000-0x0000000074667000-memory.dmp	upx
behavioral2/memory/3040-41-0x0000000074640000-0x0000000074667000-memory.dmp	upx
behavioral2/memory/3040-44-0x0000000074640000-0x0000000074667000-memory.dmp	upx
behavioral2/memory/4528-43-0x0000000000450000-0x0000000000477000-memory.dmp	upx
behavioral2/memory/3260-46-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-47-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-48-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-49-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-51-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-52-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-55-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-56-0x0000000000400000-0x00000000004E3000-memory.dmp	upx
behavioral2/memory/3260-59-0x0000000000400000-0x00000000004E3000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\0A200D38.tmp	21.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1416	77d2dac8adc2170b5dbb6cb81da39484.exe
1416	77d2dac8adc2170b5dbb6cb81da39484.exe
4528	21.exe
4528	21.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3260	QvodSetup5.exe
3260	QvodSetup5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3260	QvodSetup5.exe
3260	QvodSetup5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4528	1416	77d2dac8adc2170b5dbb6cb81da39484.exe	88
PID 1416 wrote to memory of 4528	1416	77d2dac8adc2170b5dbb6cb81da39484.exe	88
PID 1416 wrote to memory of 4528	1416	77d2dac8adc2170b5dbb6cb81da39484.exe	88
PID 1416 wrote to memory of 3260	1416	77d2dac8adc2170b5dbb6cb81da39484.exe	89
PID 1416 wrote to memory of 3260	1416	77d2dac8adc2170b5dbb6cb81da39484.exe	89
PID 1416 wrote to memory of 3260	1416	77d2dac8adc2170b5dbb6cb81da39484.exe	89

C:\Users\Admin\AppData\Local\Temp\77d2dac8adc2170b5dbb6cb81da39484.exe
"C:\Users\Admin\AppData\Local\Temp\77d2dac8adc2170b5dbb6cb81da39484.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\Temp\21.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\21.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3260

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\21.exe

Filesize
84KB

MD5
253f2fde80632a83581804a7b738657f

SHA1
412a963725ba924c310b5775698b372c6f0cfaaf

SHA256
310b8d3c80bc61371837c57c00a74cd263263f0f519faa713154e0da454dd88d

SHA512
62750357b04c25dda8a9a6d99ee885d6316691ad67e108093b524edc98b612a207ce9be92136c08a550073171590d97f646be868a10f42f744a56e4e0fff3327

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\QvodSetup5.exe

Filesize
520KB

MD5
93e466074cb7d1833dd8f8f37dd85aed

SHA1
c573a442d165bac4bfd5b15d4e1e88060c916fb5

SHA256
b2da1f5a555d7e7f6d787e729628e95c858cc6112a5073680062f3b066352e28

SHA512
d3b1a121658cefa0ab19e9bc13e430b877f697622c1c3ac392b5040bc7687a292e0097ec4d8c32cef4834bdd452cd8f9997ede9cbd1cd252dc24af92898e592b

Download Submit
C:\Users\Infotmp.txt

Filesize
724B

MD5
699044976dea8a8de770f7606bfe21be

SHA1
91cc3bd4af4435262928633c890bb61d4d9a379e

SHA256
25558d41cab8fa52e67d14aae1b0ed21723a5fce5b5b609993420da729c13a87

SHA512
9408f828d7d95aff5783fe35b8fc4fb8ef127d76ce4377f5aeb5329daa92babc5cf180c9c57e834dff2d33c35e3bc87808e17cb6a18be7ec28894cd1537a2c24

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
84KB

MD5
e5e4662d1ffb37f096d5d1200f989023

SHA1
da32d3a6867e42c3e03f5b20c4479d1b96920a88

SHA256
4c6f69d3188dddae6726596b4769344f57a024529311eb7d27898203a7aa9cdd

SHA512
d9889e26843d787615515148f7b85877c5b33cd8b65bd16ba6ce953aa9aaa540201e37e08e16d1176a09d75a33bdc169f0d2610b45f9120394823be4a7664472

Download Submit
memory/3040-44-0x0000000074640000-0x0000000074667000-memory.dmp

Filesize
156KB

Download
memory/3040-41-0x0000000074640000-0x0000000074667000-memory.dmp

Filesize
156KB

Download
memory/3040-39-0x0000000074640000-0x0000000074667000-memory.dmp

Filesize
156KB

Download
memory/3040-40-0x0000000074640000-0x0000000074667000-memory.dmp

Filesize
156KB

Download
memory/3260-24-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3260-51-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-59-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-56-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-22-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-55-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-52-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-49-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-48-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-46-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3260-47-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4528-45-0x0000000076BE0000-0x0000000076C05000-memory.dmp

Filesize
148KB

Download
memory/4528-43-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/4528-31-0x0000000076BE0000-0x0000000076C05000-memory.dmp

Filesize
148KB

Download
memory/4528-11-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/4528-21-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/4528-17-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/4528-27-0x0000000077722000-0x0000000077723000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads