aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409

Analysis

max time kernel
34s
max time network
151s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 07:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
Size

1.9MB
MD5

fe049ddd0ffd2df34da564208aff9cec
SHA1

1df42bae63a1698b6070b198f9dceb3ac2b1338e
SHA256

aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409
SHA512

b46e677b3366e395a96761c768112acb01acfeacc92bc5f2749a923bcbc33e4ee6a1d9f5156cf6e250e217e79111e576f5567eae2f7eb381ffa2e08162f1ffbc
SSDEEP

49152:T9+v9qBhn3hRk9XkSxV4QFTNXopKJe8FtU+0:5wqBZTk9X7bFTSphIK

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-10-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-11-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-33-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-48-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2936-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2936	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2936	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2936	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28
PID 1280 wrote to memory of 2936	1280	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	28

C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
"C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
  "C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
5c18d72163d64c68a60e6eea91447c24

SHA1
dfb2ce32b30c5a91e453eb5650e3c8bf49fc6e71

SHA256
aab77cc8138d5a4801c956127e341b1c21da9d14928aeabb6b52b6c32acd84a6

SHA512
cd7802fc31bcbec98ef3a8694de1a95eb7b5443baa30d57a073e0f1a2d858c6e42d1024499e9afe36f3ebd68f0a343e88831e974f5811ab99ffa8d08085b4d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
10.9MB

MD5
1e94d777c8772babde6c44f9b768a11a

SHA1
b5fa6056b183da29b821ef186c9945c8a0acfc63

SHA256
9de3e0519352c078e5c51f1ab0b0f2391d403ff4b4a94e8e4e8d767d320345e7

SHA512
df1d4a18632a4a2a7c3b9bd79038ed547babdb31dc5e66a203ef56bff4ce3e737a324025e919cd38c6293e79e378662cc05f8f4720d74e2a30fe7e772fb76067

Download Submit
memory/1280-0-0x0000000001F60000-0x0000000002118000-memory.dmp

Filesize
1.7MB

Download
memory/1280-2-0x0000000001F60000-0x0000000002118000-memory.dmp

Filesize
1.7MB

Download
memory/1280-4-0x0000000002120000-0x00000000022D7000-memory.dmp

Filesize
1.7MB

Download
memory/2936-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-10-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-11-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-33-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-48-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2936-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download