92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b

Resubmissions

09-04-2024 13:37

240409-qwz1tsbf5w 7

09-04-2024 13:37

09-04-2024 13:37

09-04-2024 13:37

05-03-2024 02:32

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
Size

1.8MB
MD5

f41c9e6ca239395e71bcf027987282dc
SHA1

560a973e308f20e0dbe64a38eaeaa22285ced049
SHA256

92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b
SHA512

cbf99c0e43b3a314ee6681f8655a269c0d51e4d40c10ea9c8571be30c5d69c0287c57be5b13e4fa7aecad7095efb4a741f1839dc9089251f41fa96f35011764a
SSDEEP

24576:h7OEqlRKCYqoxOMto8enhtiQkbx6zWXXfKfzZn00Eze2aP4sjagjotkEz4RaZMjM:h7B50L7fiQ26zEXfId0vFaQgMh4pj

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1948-3-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-5-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-6-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-7-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-8-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-9-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-14-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-23-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-24-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-25-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-26-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-27-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-35-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-39-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-40-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-41-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-46-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-53-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-54-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-59-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-63-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/1948-64-0x0000000000400000-0x0000000000848000-memory.dmp	UPX

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1948-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-23-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-24-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-26-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-35-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-39-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-40-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/1948-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

description	pid	process	target process
PID 4436 set thread context of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

pid	process
1948	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
1948	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
1948	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
1948	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
1948	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
1948	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

description	pid	process	target process
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
PID 4436 wrote to memory of 1948	4436	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe	92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe

C:\Users\Admin\AppData\Local\Temp\92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
"C:\Users\Admin\AppData\Local\Temp\92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe
  "C:\Users\Admin\AppData\Local\Temp\92eb323e0240228429277748079975b5626bed0bf249ec53e7fa78c88ede0c5b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
10d0439d6a1d9840729d7d2d8e024088

SHA1
1934219af1ee46e48a5808ad7eef059fe4f883ee

SHA256
5ff8da115aa2d7d1006053a8d1d7ba7e0723bb35215599e5deddfa58f18e35ec

SHA512
fedcc0c83b41ee564614c6291b1fb014d7ec5cb745be7d7109e5d7ac2cfbc129cc7cd0e268ca6e7528dca30d4113b46289a079fe599dd90fc26e8ac85d7b1fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
631KB

MD5
492e20e38ab9bd51219cade0ce30cffe

SHA1
10bf72d170cce53f80d1e72b30a723f01d0d3877

SHA256
85fa0bc094014a45a6a146fec5f5a5e23d62b2ae5c07e1fb6e7c22685ea4c638

SHA512
23c7db14ca03a85cef799dbbaccfeeac2823f4d016701ef71ffe3f495e290f21418555a8450472d52d410ec6967746ae671b58f29a0045ade2e7aa7e05819f2e

Download Submit
memory/1948-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-23-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-24-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-26-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-39-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-40-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-109-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-35-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1948-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4436-1-0x0000000003D50000-0x0000000003F0D000-memory.dmp

Filesize
1.7MB

Download
memory/4436-2-0x0000000003F50000-0x0000000004107000-memory.dmp

Filesize
1.7MB

Download