bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8

max time kernel
258s
max time network
1205s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
Size

1.9MB
MD5

bab406ad3b0603a45625755ffbccce49
SHA1

7ce0bd31c68c5b54854098acad195b7a8d804939
SHA256

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8
SHA512

a85ca2bc5ab42f8d32856a87c665b66df7d8e1c1ebbb143015d06fcc1bddba1faf684e2ee1d2a572f5ed04edf3a061837c293b5c1e3d2214864b90d8a68d25cc
SSDEEP

49152:hgWDef4IXn7EvfNf+x83OeG5ztpAEq2pe2n9SCtQV:hvo49fk83ONztiEqz2nA

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/1776-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-13-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-17-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-18-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-19-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-22-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-23-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-24-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-26-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/1776-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

1303 discord.com
1352 discord.com
1986 discord.com
3107 discord.com

flow	ioc
1303	discord.com
1352	discord.com
1986	discord.com
3107	discord.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

description	pid	process	target process
PID 4300 set thread context of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

pid	process
1776	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
1776	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
1776	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
1776	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
1776	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
1776	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

description	pid	process	target process
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 4300 wrote to memory of 1776	4300	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
"C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
  "C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3784 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:8436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
dab2b43a5160f05ac051521d8b3c9cb3

SHA1
68363d3e871099ff6d1a555e4c1c78bb8f15fb5d

SHA256
af4bb8cfd42af037db2ce687f858c9627e7dc9d953a46f8539c9cd6fa2e8eebc

SHA512
ad5a16746933b869d0e520bec027ff37cefd75c5add28ec8811bef0fffbe0126b6b44cb9c80c70dbe088bbbfb9e3a611bb1370189d8978793cbeb36ea9873211

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
8.6MB

MD5
219f74732fc576aa8f2e167eba81f027

SHA1
4f19be681007f1885c722553af12647f7c0f35b3

SHA256
d40f97c7ceca62500c2cf23443514054d576d2fb884e3247fcff0c306cbb115a

SHA512
6dd44974d08ebfeb922c1c295d2a221c1178950aed9e0235c6f5b55aa9a7d45859e69536dbd2541893e2efbc40628f3e09d36e1b7b4279ccc45ca5b0daaee635

Download Submit
memory/1776-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-13-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-17-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-18-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-19-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-22-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-23-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-24-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-26-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1776-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4300-1-0x0000000002420000-0x00000000025DA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-2-0x00000000025E0000-0x0000000002797000-memory.dmp

Filesize
1.7MB

Download