479673352af2a3d404a0d18be7ef62716134bad546fd8ba0a6d0cc908dba2016

General

Target

ccb8d8296b3254b770858ee8ac43949c.exe
Size

2.0MB
MD5

ccb8d8296b3254b770858ee8ac43949c
SHA1

51a6bcdf1de4d6a7139e19fadb4e7370db04364f
SHA256

479673352af2a3d404a0d18be7ef62716134bad546fd8ba0a6d0cc908dba2016
SHA512

2645084db4136f0fd08d4b5b3ed3c882b3a495335fe666f4ceca4d5b351e93b55ffa452c9c7d7e19ded55c23717057049d55c6419c31fe364454f92dd7258e4a
SSDEEP

49152:ItARufdWU5Dc8X1aXfLPoDqhoWBBGlcaS31zx:IGRufdn5DNFaTPoDkJGXSl1

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	5d867b70.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	5d867b70.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00080000000232fa-3.dat	aspack_v212_v242
behavioral2/files/0x0002000000022853-9.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2644	5d867b70.exe

Loads dropped DLL 12 IoCs

pid	Process
3284	svchost.exe
5096	svchost.exe
2516	svchost.exe
4560	svchost.exe
848	svchost.exe
4068	svchost.exe
408	svchost.exe
2712	svchost.exe
3208	svchost.exe
3136	svchost.exe
412	svchost.exe
4348	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4604-0-0x0000000000400000-0x0000000000863000-memory.dmp	upx
behavioral2/memory/4604-23-0x0000000000400000-0x0000000000863000-memory.dmp	upx
behavioral2/memory/4604-67-0x0000000000400000-0x0000000000863000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4604-67-0x0000000000400000-0x0000000000863000-memory.dmp	autoit_exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	5d867b70.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	5d867b70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	5d867b70.exe
2644	5d867b70.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2644	4604	ccb8d8296b3254b770858ee8ac43949c.exe	89
PID 4604 wrote to memory of 2644	4604	ccb8d8296b3254b770858ee8ac43949c.exe	89
PID 4604 wrote to memory of 2644	4604	ccb8d8296b3254b770858ee8ac43949c.exe	89

C:\Users\Admin\AppData\Local\Temp\ccb8d8296b3254b770858ee8ac43949c.exe
"C:\Users\Admin\AppData\Local\Temp\ccb8d8296b3254b770858ee8ac43949c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\5d867b70.exe
  C:\5d867b70.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:5096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:4560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:4068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:2712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:3208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:3136

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5d867b70.exe

Filesize
64KB

MD5
61b39462bdb688c427c2200b8687e09f

SHA1
ad645a23de7c9abff758c2189905f41d230e3609

SHA256
3ffcd8107479ea1f325d5d234129c3a1e8f427c93b04cee7042ae895a05af792

SHA512
cbe9a07ed64d3790a0aef804fecbe69a2ed3bdbc40c16b1edbfe714bd9cf8c965fd37123a3cb5f8c07c26171caa9a4b7fb3e9c5d6127a7005018bd4b326c36ae

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
64KB

MD5
7f10c62fc25523032799101647658904

SHA1
9e373798bd7742975ec14396053a8c4ffdc84ce9

SHA256
339c45b81c0ecc0e0bbbff2dd5ec9e2032d779a0711604a041147d2a05b08313

SHA512
85e8d7a82dea31791171a64feb76e7ddaf7a2c3c7f3805d52888dfa0a756eef22af779719a68fdb7ea2ed6dfb44cba0ef10743c64c3fc4c26a14f236331f93d5

Download Submit
memory/408-51-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/408-50-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/408-52-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/412-79-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/412-77-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/412-78-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/848-38-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/848-37-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/2516-25-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/2516-24-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/2644-26-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2644-6-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2644-4-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2712-58-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/2712-56-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/3136-71-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/3136-72-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/3208-64-0x0000000073F60000-0x0000000073F7C000-memory.dmp

Filesize
112KB

Download
memory/3208-66-0x0000000073F60000-0x0000000073F7C000-memory.dmp

Filesize
112KB

Download
memory/3208-65-0x0000000073F60000-0x0000000073F7C000-memory.dmp

Filesize
112KB

Download
memory/3284-12-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/3284-13-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4068-44-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4068-46-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4348-85-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/4348-83-0x0000000075310000-0x000000007532C000-memory.dmp

Filesize
112KB

Download
memory/4560-31-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4560-30-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4560-32-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4604-67-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/4604-0-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/4604-23-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/5096-19-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/5096-18-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/5096-17-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads