8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91

Resubmissions

09/04/2024, 10:06

240409-l5bmdacc75 7

09/04/2024, 10:05

09/04/2024, 10:05

09/04/2024, 10:05

29/01/2024, 04:54

Analysis

max time kernel
290s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/04/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
Size

1.9MB
MD5

d5057eda9b4251e0e52fb2d8524cfa57
SHA1

327f6d72563fdfb1ab206ac9a3b2d4c770d066f5
SHA256

8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91
SHA512

24d423aa3d71b12af016c5918940d4984f1640f902dc36adc9a29dd9980baa2210ea250111b052dc9fdc5cdfbea8ece8813494f2d2ccecefa60f224a3d731fb2
SSDEEP

24576:OPUnujryKC12iAlGaRctykklEPjJ3QIzs6yBKSolGIUOVPgJAt8EnZapKtpMh6co:9Dr2iAcKcC+N3Bs6ywSz5SSAza88hqx

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3972-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-30-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-32-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/3972-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3972	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
3972	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
3972	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
3972	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
3972	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
3972	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74
PID 2424 wrote to memory of 3972	2424	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	74

C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
"C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
  "C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
5777d56460efb8519bcfe961647ffcc8

SHA1
cb180d9885a517ec254c1fb7271e02de5bb3a73a

SHA256
a10fc5dda3f349841a63877282650e21b6a4fd3176e48d607cbdbaaef5b1bd66

SHA512
cdfd33d9d5ebf919431cd7a12f1b55137ab7005c69e2941c6e15ee081ecf2137ef4e272c4f40fbadd6f3c1b45f08aba31bc6ec0bd394f8fc3abf310cb64e7bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
9.2MB

MD5
dee2e20f2330324c1215070f4f4cf163

SHA1
428cbca2837841fc4ebdc2335d36dc4497d1ff6f

SHA256
f9813a32813ff405a96fa434a49d5de848caaa14a748088d27f807ec21fdd9ba

SHA512
e26a7dced25ecc79c3f2568bee75468031e91f1a273ca57a5b1e7148b0ef2d66839d84a705cf2094be945cd694ada4f0a0509bab2ced817124af7ef3ba1a4275

Download Submit
memory/2424-2-0x0000000002830000-0x00000000029E7000-memory.dmp

Filesize
1.7MB

Download
memory/2424-1-0x0000000000CD0000-0x0000000000E8B000-memory.dmp

Filesize
1.7MB

Download
memory/3972-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-30-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-32-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3972-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download