bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
Size

1.9MB
MD5

bab406ad3b0603a45625755ffbccce49
SHA1

7ce0bd31c68c5b54854098acad195b7a8d804939
SHA256

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8
SHA512

a85ca2bc5ab42f8d32856a87c665b66df7d8e1c1ebbb143015d06fcc1bddba1faf684e2ee1d2a572f5ed04edf3a061837c293b5c1e3d2214864b90d8a68d25cc
SSDEEP

49152:hgWDef4IXn7EvfNf+x83OeG5ztpAEq2pe2n9SCtQV:hvo49fk83ONztiEqz2nA

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3016-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-10-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-11-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3016-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

description	pid	process	target process
PID 2180 set thread context of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

pid	process
3016	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
3016	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
3016	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

description	pid	process	target process
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
PID 2180 wrote to memory of 3016	2180	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
"C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
"C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
Filesize
2.7MB

MD5
27acfbf94480631e547b5cb508d9d4fb

SHA1
f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

SHA256
0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

SHA512
902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
Filesize
20.3MB

MD5
cee0cd8925f25c244f4e69fa91825988

SHA1
c97f25fff2dbc926e9055051491ff82ba85874ed

SHA256
629daed3851fb6463953ece14d49730fcbf0b905912e4d89b397cd5cc9931290

SHA512
122b2052e7363a64e149ff6021546c5af652dd1c0570c1a4cff1a28b2106d097657309d7d8489b4f9521413be25b3298615f6ff76b279bd34956484872de7eb2

Download Submit
memory/2180-0-0x0000000002090000-0x0000000002248000-memory.dmp

Filesize
1.7MB

Download
memory/2180-1-0x0000000002090000-0x0000000002248000-memory.dmp

Filesize
1.7MB

Download
memory/2180-2-0x0000000002250000-0x0000000002407000-memory.dmp

Filesize
1.7MB

Download
memory/3016-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-10-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-11-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3016-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download