b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7

Analysis

max time kernel
209s
max time network
255s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
Size

299KB
MD5

e6870480bc03956ed54c346de31e5b4d
SHA1

5301558b5647f549c177ad28f4a350335f9253e3
SHA256

b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7
SHA512

25fcd31d003b0a6450b3ba97864d5baa9a0bb737cef0690395871987d2da45a5c1a16b5bf8c3ec448648afa58816d6d2dbccd5c073fc69a86f8ffab4c71710da
SSDEEP

6144:kuayAdOPViZJzC8mLi/g8iF1NDupfB+U3MdLNfNXu2bwzUNH:nAdyiDzgW/i1NDeB+3Ju2bwa

Score

8^/10

persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
5112	smss.exe
2572	smss.exe
532	csrss.exe
4876	csrss.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3512-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3512-1-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3512-2-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3512-9-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3512-43-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3512-44-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe"	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss.exe = "C:\\Program Files\\smss.exe"	smss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5112	smss.exe
2572	smss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\smss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
File opened for modification	C:\Program Files\smss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
File created	C:\Program Files\csrss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
File opened for modification	C:\Program Files\csrss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	2572	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	smss.exe
5112	smss.exe
2572	smss.exe
2572	smss.exe
5112	smss.exe
5112	smss.exe
2572	smss.exe
2572	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe
5112	smss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	smss.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
5112	smss.exe
5112	smss.exe
2572	smss.exe
2572	smss.exe
4876	csrss.exe
532	csrss.exe
4876	csrss.exe
532	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 5112	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	87
PID 3512 wrote to memory of 5112	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	87
PID 3512 wrote to memory of 5112	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	87
PID 3512 wrote to memory of 2572	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	88
PID 3512 wrote to memory of 2572	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	88
PID 3512 wrote to memory of 2572	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	88
PID 3512 wrote to memory of 532	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	90
PID 3512 wrote to memory of 532	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	90
PID 3512 wrote to memory of 532	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	90
PID 3512 wrote to memory of 4876	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	91
PID 3512 wrote to memory of 4876	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	91
PID 3512 wrote to memory of 4876	3512	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	91

C:\Users\Admin\AppData\Local\Temp\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
"C:\Users\Admin\AppData\Local\Temp\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files\smss.exe
  "C:\Program Files\smss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5112
- C:\Program Files\smss.exe
  "C:\Program Files\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 568
    3⤵
    - Program crash
    PID:2832
- C:\Program Files\csrss.exe
  "C:\Program Files\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Program Files\csrss.exe
  "C:\Program Files\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2572 -ip 2572
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
C:\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
C:\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
C:\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
C:\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
C:\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
memory/2572-21-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2572-46-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2572-17-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2572-18-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/3512-9-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3512-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3512-44-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3512-2-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3512-43-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3512-1-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5112-22-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/5112-27-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/5112-25-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/5112-29-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/5112-32-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/5112-24-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/5112-33-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/5112-20-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/5112-16-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/5112-45-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/5112-14-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download