518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6

Analysis

max time kernel
295s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
14/03/2024, 04:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
Size

1.9MB
MD5

86f2f5b1e021249025236f1c3a1935d4
SHA1

4d102ec935c274bded67400a90dcd253fd57805f
SHA256

518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6
SHA512

0f239c4ed770b0e03d0d0794cb3be21bcea2bc5fda5ac70ca057b92262f9c5362e98c5f672fc865a52f69c219e188a58e864ced8aa79fd127be92b1299259451
SSDEEP

49152:YLEqi8ZJjjHXfcrkSzdthQO9dO/V1skL/cgNPvTsohB:YLH9DcrBT9yVjL/tRrsohB

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Contacts a large (786) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2136-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-22-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-23-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-24-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-31-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-37-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-38-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-102-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-101-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2136-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 200 set thread context of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2136	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2136	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2136	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2136	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2136	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2136	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73
PID 200 wrote to memory of 2136	200	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	73

C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
"C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:200
- C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
  "C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
2d170d74e94346cda082299bec4af0b7

SHA1
f03419f1c1e8340450356c3d6150d89d2aa5d50e

SHA256
4360601ffd4d81f2099b8884ffc2711334e8bc6147000f3a2483086eb062bde3

SHA512
a6d18e64b198f9894ff1bd9c4dbf0a14193c72e6ac5b76c749d4f72a2ec265c7ce08e13dba5e0abfa7983e4d6f04e2a1ef3948cda1845760aa875c492a2424d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
5.3MB

MD5
2373feb17de4fd6bfe17053dffa3d87f

SHA1
cffcd867f50cb18c2ab59ee5f25335df4bb57a37

SHA256
bfda73210aff952935e1a6136aaef7caabbf52d63b338b086f24bc1de5f0936d

SHA512
e18efc37920bb7b8f6c2cd023e2fafbcd3c51dc62b48f6aa4bb1c2fa7c292a7fc7076de81c802d97f856923b5eb23fb8b97ace7905713e197ec68086f22db58c

Download Submit
memory/200-2-0x0000000003A10000-0x0000000003BC7000-memory.dmp

Filesize
1.7MB

Download
memory/200-1-0x0000000003840000-0x0000000003A08000-memory.dmp

Filesize
1.8MB

Download
memory/2136-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-101-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-22-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-23-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-24-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-31-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-37-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-38-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-102-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2136-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download