8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91

Resubmissions

09-04-2024 10:06

240409-l5bmdacc75 7

09-04-2024 10:05

09-04-2024 10:05

09-04-2024 10:05

29-01-2024 04:54

Analysis

max time kernel
296s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
Size

1.9MB
MD5

d5057eda9b4251e0e52fb2d8524cfa57
SHA1

327f6d72563fdfb1ab206ac9a3b2d4c770d066f5
SHA256

8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91
SHA512

24d423aa3d71b12af016c5918940d4984f1640f902dc36adc9a29dd9980baa2210ea250111b052dc9fdc5cdfbea8ece8813494f2d2ccecefa60f224a3d731fb2
SSDEEP

24576:OPUnujryKC12iAlGaRctykklEPjJ3QIzs6yBKSolGIUOVPgJAt8EnZapKtpMh6co:9Dr2iAcKcC+N3Bs6ywSz5SSAza88hqx

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1440-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-29-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-38-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-39-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1440-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1440	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
1440	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
1440	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
1440	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
1440	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
1440	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84
PID 4856 wrote to memory of 1440	4856	8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe	84

C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
"C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe
  "C:\Users\Admin\AppData\Local\Temp\8a531865aa5785bb7b20574bb347744a5d83cf8719c6809217402b4fa5fbde91.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
5777d56460efb8519bcfe961647ffcc8

SHA1
cb180d9885a517ec254c1fb7271e02de5bb3a73a

SHA256
a10fc5dda3f349841a63877282650e21b6a4fd3176e48d607cbdbaaef5b1bd66

SHA512
cdfd33d9d5ebf919431cd7a12f1b55137ab7005c69e2941c6e15ee081ecf2137ef4e272c4f40fbadd6f3c1b45f08aba31bc6ec0bd394f8fc3abf310cb64e7bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
9.5MB

MD5
95be3599c3aa1f190e4beddfadb95ada

SHA1
8915f9d2868056daedf3891dcc4e622d96110573

SHA256
b9c3b09b3c6c5d0379ab6f612c69a47fe6c5b2e06a5c2651574fad76ade4c2c2

SHA512
2859f7249aff07a99f15febf9796a499e19b705a924073f4ce6dff6abc6b8cd9c10873dff9fd0c786c116ac75eed41aa3330dce154b60c6dc6596ba2e45fd04e

Download Submit
memory/1440-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-38-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-39-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-29-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1440-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4856-1-0x0000000000DF0000-0x0000000000FAF000-memory.dmp

Filesize
1.7MB

Download
memory/4856-2-0x0000000002850000-0x0000000002A07000-memory.dmp

Filesize
1.7MB

Download