aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409

Analysis

max time kernel
49s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2023 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
Size

1.9MB
MD5

fe049ddd0ffd2df34da564208aff9cec
SHA1

1df42bae63a1698b6070b198f9dceb3ac2b1338e
SHA256

aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409
SHA512

b46e677b3366e395a96761c768112acb01acfeacc92bc5f2749a923bcbc33e4ee6a1d9f5156cf6e250e217e79111e576f5567eae2f7eb381ffa2e08162f1ffbc
SSDEEP

49152:T9+v9qBhn3hRk9XkSxV4QFTNXopKJe8FtU+0:5wqBZTk9X7bFTSphIK

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2784-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-32-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-42-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2784-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2784	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2784	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2784	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2784	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2784	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
2784	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90
PID 2216 wrote to memory of 2784	2216	aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe	90

C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
"C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe
  "C:\Users\Admin\AppData\Local\Temp\aa16eed6abd2118df6b0670813ae3b9dab59b458bdc76222866c9a9fc0fa1409.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
5c18d72163d64c68a60e6eea91447c24

SHA1
dfb2ce32b30c5a91e453eb5650e3c8bf49fc6e71

SHA256
aab77cc8138d5a4801c956127e341b1c21da9d14928aeabb6b52b6c32acd84a6

SHA512
cd7802fc31bcbec98ef3a8694de1a95eb7b5443baa30d57a073e0f1a2d858c6e42d1024499e9afe36f3ebd68f0a343e88831e974f5811ab99ffa8d08085b4d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
9.3MB

MD5
dfecfb7c10285a13ffe5609e35870bc3

SHA1
b186bb8a30a6dfc638d5cedfb2003ce899fd3773

SHA256
8cf2fa95f4e9e7280db3d8d691ec2b7ae034d939de52c7a381ba0601cfa6b280

SHA512
c5c5c06b96294f2e1606ca21f3c5379e1b8b58d5fe930c868fdb08c9ea111fab58fc35de2bffbecd83ce936ff5dca857c225f89abc4af2eb1406daee72076cad

Download Submit
memory/2216-1-0x0000000002540000-0x00000000026FE000-memory.dmp

Filesize
1.7MB

Download
memory/2216-2-0x0000000002700000-0x00000000028B7000-memory.dmp

Filesize
1.7MB

Download
memory/2784-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-32-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-42-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2784-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download