35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7

Analysis

max time kernel
292s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
20/02/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
Size

1.9MB
MD5

91daf47ec23bdc6e075f0b4d81f9d6c7
SHA1

3c4ffceccf97568efeff3939f51a12bbee63f6af
SHA256

35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7
SHA512

c1ca51f839569bff829e3fd1e21d900833126cd320a7a36c74c149e5dc4a35ba61254dc6860ec51debb2b0ac91817639757d08bd34f8d7366ec1c9ba4f5eec96
SSDEEP

49152:2NVoFnW4i20zpdFRmgXBlLkHSCZ3aQx3PSGFivxfQhIrdY4I:/nW4iZ9dFwgXfLkHtZn3tF4xYh99

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2740-1-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-37-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-39-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-48-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-1296-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2740-2132-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
157	89ea5e0a101f.ngrok.io
195	89ea5e0a101f.ngrok.io
275	89ea5e0a101f.ngrok.io
1070	89ea5e0a101f.ngrok.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9656	2740	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2740	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2740	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2740	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2740	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2740	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
2740	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74
PID 2924 wrote to memory of 2740	2924	35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe	74

C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
"C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe
  "C:\Users\Admin\AppData\Local\Temp\35fa730adfdd0b15211d9bc04950f44d90daa9e72bb945d1158906b15fdde7c7.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 37488
    3⤵
    - Program crash
    PID:9656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
ccfc66c482231adf2bcc81ec8a31355a

SHA1
da0d17e889d210024eea48a09f0c75df9c35c4f2

SHA256
d1a694832cfda9ac92a494f0c87cbff68cadf29954b1942238579fc846316d19

SHA512
d8618ae6236d64d87e9beff26e47408180a729ad5e166f3a8baefba78358cf9dfd164911d87dfbaf8987f82da9046df5e0b4dcd9dbfbeb654cedee6ac03de4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
927KB

MD5
7b746a6fbb870a558bfbc9cbb4bc0174

SHA1
59ea23ca777bcabebb3e116d097311be71f870fb

SHA256
46df9cec0fb0c4df8b168ed61d2c8b7e3883e72882218faf95c6a573934540f3

SHA512
edfeab6e4b4244278262f1cef73c1f5de8d93f92f5589fae9e3f0323e2e8fd697fea734d5b70f808a8d14725a0f34d344becd4bd1bb8ac05a7476609a3f9b3bb

Download Submit
memory/2740-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-37-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-2132-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-1296-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-39-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-48-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-1-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2740-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2924-38-0x00000000025C0000-0x0000000002777000-memory.dmp

Filesize
1.7MB

Download
memory/2924-4-0x00000000025C0000-0x0000000002777000-memory.dmp

Filesize
1.7MB

Download
memory/2924-2-0x00000000023F0000-0x00000000025B2000-memory.dmp

Filesize
1.8MB

Download