54c813e4d597cb289c66400a473956b3160a0e01e4d6021c7735df840eddfaff

General

Target

a1344154ce58c185e061aae7186f432c.exe
Size

250KB
MD5

a1344154ce58c185e061aae7186f432c
SHA1

594c4ffc49a5e376213341488db0f9ec21d660fd
SHA256

54c813e4d597cb289c66400a473956b3160a0e01e4d6021c7735df840eddfaff
SHA512

d47b615ba3e32bfa9f8e8680e0100304565a015f16b752af3cf60dd2dd6dff34521ea540e062ef31c3f3c850380d05f2ca4d21a76d8ccd7f011b79b779c45b89
SSDEEP

6144:DWWljwuMRbd8qdKNgmtT22hCw4Yw+hly9ZTOHXYJn:LwuMRZ8q+gA28Cwk++jYY

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	7dc9490f.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000300000001fc40-3.dat	aspack_v212_v242
behavioral2/files/0x0007000000023226-13.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4460	7dc9490f.exe

Loads dropped DLL 1 IoCs

pid	Process
4392	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-0-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral2/files/0x000300000001fc40-3.dat	upx
behavioral2/memory/4460-5-0x0000000000800000-0x0000000000826000-memory.dmp	upx
behavioral2/memory/4460-6-0x0000000000800000-0x0000000000826000-memory.dmp	upx
behavioral2/files/0x0007000000023226-13.dat	upx
behavioral2/memory/4392-15-0x00000000758B0000-0x00000000758D6000-memory.dmp	upx
behavioral2/memory/4392-16-0x00000000758B0000-0x00000000758D6000-memory.dmp	upx
behavioral2/memory/4392-18-0x00000000758B0000-0x00000000758D6000-memory.dmp	upx
behavioral2/memory/4460-19-0x0000000000800000-0x0000000000826000-memory.dmp	upx
behavioral2/memory/1800-22-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\45160D98.tmp	7dc9490f.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	7dc9490f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	7dc9490f.exe
4460	7dc9490f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4460	1800	a1344154ce58c185e061aae7186f432c.exe	88
PID 1800 wrote to memory of 4460	1800	a1344154ce58c185e061aae7186f432c.exe	88
PID 1800 wrote to memory of 4460	1800	a1344154ce58c185e061aae7186f432c.exe	88

C:\Users\Admin\AppData\Local\Temp\a1344154ce58c185e061aae7186f432c.exe
"C:\Users\Admin\AppData\Local\Temp\a1344154ce58c185e061aae7186f432c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\7dc9490f.exe
  C:\7dc9490f.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7dc9490f.exe

Filesize
91KB

MD5
9c22c94e6481f7e907f65cc9da62bf19

SHA1
34d486e676266c48d4dc92d87f823824523ffc8a

SHA256
a371bed0a3eb7210674d5770225af0624e13d35531405010e6f27a6ca0318f8d

SHA512
954b588e42f13d7d819e29a00364457c10cb6a1777d964f1d84b6db84aba05c8b679032ea1d6ad88c8b157fccdcbee080ee1928e70d5d7b743fa870b9130f86c

Download Submit
C:\Users\Infotmp.txt

Filesize
720B

MD5
dd076c334033a80f43d5d7f9b02f6353

SHA1
d822a92b67d68581462672d51c90b7bf1f240ab8

SHA256
8254db36744b8f0dbd5a98417d9ee9f95041f8d8dfc7c4dc9a0d2e7e084d7211

SHA512
c74cff961580b6552a7d8b6f37c7eaf21f0016e616d256f7b2a52e010e9759661618e6fe7608cfe27afcaa68fc90eaa2823566c40ae483996a9182c87f11d9f8

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
91KB

MD5
7fbd1ba5aa23603e02a151c550c667a6

SHA1
8f50a0e8c204501203c4f9924b9c0b8a3f82ac09

SHA256
c6a2b253d7302957b027513001ddeb88bd632da83fe0b57b223c47519ea86605

SHA512
cc618e67f34b9070f280c2a07365c04e5ea1a8fd73936671c241cd8876fbe4d868a184ca19ed6f40f3b44d1d7f4872cd6cc173a3093d6f0a18cbfeedac2a7be2

Download Submit
memory/1800-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1800-21-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1800-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4392-15-0x00000000758B0000-0x00000000758D6000-memory.dmp

Filesize
152KB

Download
memory/4392-16-0x00000000758B0000-0x00000000758D6000-memory.dmp

Filesize
152KB

Download
memory/4392-18-0x00000000758B0000-0x00000000758D6000-memory.dmp

Filesize
152KB

Download
memory/4460-6-0x0000000000800000-0x0000000000826000-memory.dmp

Filesize
152KB

Download
memory/4460-9-0x0000000077DF2000-0x0000000077DF3000-memory.dmp

Filesize
4KB

Download
memory/4460-10-0x0000000077590000-0x00000000775B5000-memory.dmp

Filesize
148KB

Download
memory/4460-5-0x0000000000800000-0x0000000000826000-memory.dmp

Filesize
152KB

Download
memory/4460-20-0x0000000077590000-0x00000000775B5000-memory.dmp

Filesize
148KB

Download
memory/4460-19-0x0000000000800000-0x0000000000826000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads