35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7

Analysis

max time kernel
49s
max time network
300s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
Size

1.9MB
MD5

91daf47ec23bdc6e075f0b4d81f9d6c7
SHA1

3c4ffceccf97568efeff3939f51a12bbee63f6af
SHA256

35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7
SHA512

c1ca51f839569bff829e3fd1e21d900833126cd320a7a36c74c149e5dc4a35ba61254dc6860ec51debb2b0ac91817639757d08bd34f8d7366ec1c9ba4f5eec96
SSDEEP

49152:2NVoFnW4i20zpdFRmgXBlLkHSCZ3aQx3PSGFivxfQhIrdY4I:/nW4iZ9dFwgXfLkHtZn3tF4xYh99

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2540-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-10-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-11-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-42-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-48-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2540-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2540	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2540	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2540	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28
PID 1752 wrote to memory of 2540	1752	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	28

C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
"C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
  "C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
1.9MB

MD5
9a3f4e5769f032db67846b494318d985

SHA1
768abe7f0199cf33eb60e08ae0b8e5a35e92b34d

SHA256
485fa9b75b9128de1c8c5bec8c759fb41f805b779cb6c2261b824ef9ef939bf8

SHA512
f5e90d949a5cffdab6cea9a8b5b43c58f209bd5632450bbab265baa40e0b431e649707a2068e272dc136bc5e4702e5493efa534887f801388df7e3529bfdb75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
12.3MB

MD5
ee7e5416c00561b1925424f8dbdfeac0

SHA1
911a097541d6c27485e614efb02cc56d607bbaab

SHA256
49403bfd2c0cb09900ba94948974daa9e500aa0be17c4e08375183a78023a39e

SHA512
75a580ab041a1dfd749524218883aaed58bdcc646d0afbba13b8e3c719369e4edd5ebe94a1ef6f38c3a74ac5e4e5be4d37404e542c8b6c5f4c922be991d79239

Download Submit
memory/1752-7-0x0000000001F10000-0x00000000020C8000-memory.dmp

Filesize
1.7MB

Download
memory/1752-2-0x0000000001F10000-0x00000000020C8000-memory.dmp

Filesize
1.7MB

Download
memory/1752-4-0x00000000020D0000-0x0000000002287000-memory.dmp

Filesize
1.7MB

Download
memory/1752-0-0x0000000001F10000-0x00000000020C8000-memory.dmp

Filesize
1.7MB

Download
memory/2540-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-10-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-11-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-42-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-48-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2540-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download