8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91

Resubmissions

09/04/2024, 10:06

240409-l5bmdacc75 7

09/04/2024, 10:05

09/04/2024, 10:05

09/04/2024, 10:05

29/01/2024, 04:54

Analysis

max time kernel
75s
max time network
303s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
Size

1.9MB
MD5

d5057eda9b4251e0e52fb2d8524cfa57
SHA1

327f6d72563fdfb1ab206ac9a3b2d4c770d066f5
SHA256

8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91
SHA512

24d423aa3d71b12af016c5918940d4984f1640f902dc36adc9a29dd9980baa2210ea250111b052dc9fdc5cdfbea8ece8813494f2d2ccecefa60f224a3d731fb2
SSDEEP

24576:OPUnujryKC12iAlGaRctykklEPjJ3QIzs6yBKSolGIUOVPgJAt8EnZapKtpMh6co:9Dr2iAcKcC+N3Bs6ywSz5SSAza88hqx

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-10-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-17-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-18-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-19-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-28-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2192-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
73	discord.com
83	discord.com
178	drive.google.com
201	drive.google.com
327	drive.google.com
644	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
2192	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
2192	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28
PID 1280 wrote to memory of 2192	1280	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	28

C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
"C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
  "C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
1c5d1f1974bb5fd5a986dfb699dfa5ba

SHA1
bb3734338b138157484713c2a2f4f4e1b1aeaed2

SHA256
83ef30ee1a0c8b1cbf4630c4263bda4c0048ff78babc990260fd4191cd915fad

SHA512
fd012d6a4e1a9fbb895b88c4b8974ffb8a2b80c9afe446d5d2552dadbe37023e75378c718c59cc70df1e2a30acacdcf0c51d60a53a6c57b671e25752517250e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
15.4MB

MD5
0f07a232845c03c0734e3673b7072d04

SHA1
f44d3eeb7494ab2742b1d561564f7bc4677ac8c7

SHA256
d2cb54f863da4072779a479444e2e2cd34069184091b2dd9011b5ae1c6a23c4e

SHA512
a244650abe707ad9857370c0331279ec43d0253399dcf33a5b9fe5f61b7558082f3e25f1816f4e44e640abd5afebf6e3df9257362cdb7605210c537105cebe52

Download Submit
memory/1280-0-0x0000000000BB0000-0x0000000000D68000-memory.dmp

Filesize
1.7MB

Download
memory/1280-2-0x0000000000BB0000-0x0000000000D68000-memory.dmp

Filesize
1.7MB

Download
memory/1280-4-0x0000000002490000-0x0000000002647000-memory.dmp

Filesize
1.7MB

Download
memory/2192-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-10-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-17-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-18-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-19-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-28-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2192-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download