518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6

Resubmissions

12-04-2024 13:47

240412-q3nalsdh8v 10

12-04-2024 13:47

12-04-2024 13:47

12-04-2024 13:47

12-04-2024 13:47

09-04-2024 06:37

09-04-2024 06:36

09-04-2024 06:36

Analysis

max time kernel
145s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
Size

1.9MB
MD5

86f2f5b1e021249025236f1c3a1935d4
SHA1

4d102ec935c274bded67400a90dcd253fd57805f
SHA256

518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6
SHA512

0f239c4ed770b0e03d0d0794cb3be21bcea2bc5fda5ac70ca057b92262f9c5362e98c5f672fc865a52f69c219e188a58e864ced8aa79fd127be92b1299259451
SSDEEP

49152:YLEqi8ZJjjHXfcrkSzdthQO9dO/V1skL/cgNPvTsohB:YLH9DcrBT9yVjL/tRrsohB

Score

10^/10

discovery persistence upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
my.teipir.gr
Port:
21
Username:
[email protected]
Password:
dpkexik22

Extracted

Credentials

Protocol: ftp
Host:
my.teipir.gr
Port:
21
Username:
cse09_269
Password:
dpkexik22

Extracted

Credentials

Protocol: ftp
Host:
my.teipir.gr
Port:
21
Username:
admin

Signatures

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2516-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-13-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-17-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-101-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/2516-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
776	discord.com
513	discord.com
9244	discord.com
9421	discord.com
9563	discord.com
9878	discord.com
10049	discord.com
372	discord.com
397	discord.com
9715	discord.com
384	discord.com
4243	discord.com
10007	discord.com
2310	discord.com
9247	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4164 set thread context of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2516	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2516	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2516	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2516	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2516	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
2516	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86
PID 4164 wrote to memory of 2516	4164	518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe	86

C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
"C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe
  "C:\Users\Admin\AppData\Local\Temp\518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
a7322c0ba805744c82137309ef062277

SHA1
a7e721160f91611ab399948951a5a5d514fde409

SHA256
c89a350f2a67be2729932bd4216a02d6b6217704c84a283e07012d442f6ccce5

SHA512
d087fe0866f89235d193a5e1de751b3b7601c53b92ecbd092a5ee238b191254130c8a61b48796e4de2f42d77644238e7613f1aa9be8435ffee023c9baeb4c7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
8.7MB

MD5
05ca71c439aeff90bdf0561217fc1773

SHA1
618e2fea5898455812bf689053e583837322df48

SHA256
0ba0d24f223bcb410b01e5bd2ac07d94e1d6182c0d6ec402a843453f05389398

SHA512
69898916b634469a7d07b3a2214543f440b53f50e5ded98c76b13e32f3d6557321d3d98fb88e97272bd67b60865b8966777c13c15bcd3a8a8f2b1711a4410707

Download Submit
memory/2516-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-13-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-17-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-101-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2516-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4164-1-0x0000000003970000-0x0000000003B2D000-memory.dmp

Filesize
1.7MB

Download
memory/4164-2-0x0000000003B30000-0x0000000003CE7000-memory.dmp

Filesize
1.7MB

Download