bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8

max time kernel
434s
max time network
1800s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
12/04/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
Size

1.9MB
MD5

bab406ad3b0603a45625755ffbccce49
SHA1

7ce0bd31c68c5b54854098acad195b7a8d804939
SHA256

bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8
SHA512

a85ca2bc5ab42f8d32856a87c665b66df7d8e1c1ebbb143015d06fcc1bddba1faf684e2ee1d2a572f5ed04edf3a061837c293b5c1e3d2214864b90d8a68d25cc
SSDEEP

49152:hgWDef4IXn7EvfNf+x83OeG5ztpAEq2pe2n9SCtQV:hvo49fk83ONztiEqz2nA

Score

10^/10

discovery persistence upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
sipeges.it
Port:
21
Username:
[email protected]
Password:
2022M

Extracted

Credentials

Protocol: ftp
Host:
sipeges.it
Port:
21
Username:
eventi
Password:
2022M

Signatures

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4548-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-35-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-104-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-103-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-116-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-107-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-118-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-108-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-120-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-114-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/4548-117-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4548	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
4548	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
4548	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
4548	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
4548	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
4548	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78
PID 4576 wrote to memory of 4548	4576	bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe	78

C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
"C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe
  "C:\Users\Admin\AppData\Local\Temp\bee5a8794014d11323dfb0276e541a0ee9567f61521a1a885ade5ca2d87f36d8.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus

Filesize
2.7MB

MD5
ab9edbf2abe36a005b75ed63e6c044f5

SHA1
641b5f77d9b0395d87c197a1671f37025410dd06

SHA256
6633922a7479ba93178e02f8dde9db0dc50cec012759ea4b66fd5cf5cf92bbad

SHA512
d848019b147fbc0709a09c135979df29a339b7c5a84899fa8cba2dc2cf3fbd3e085877f57cbbb20404126c8dae9db061a98316cd2d2248e400e282ec95b4b827

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
8.7MB

MD5
636c1779d21459cc4e1108cec68e684c

SHA1
07ef5cefd96895f295aa2dd9d54d6c6373d341a1

SHA256
bde81836a209aa5df7844a71cc6c46f587b1b0bbcc06b9ec3092b572f1fa2ea0

SHA512
654f3c943b4e01f3abbc40b43cbe0f71074058c9d223376218dfa449b00fc0c28bb446ae5f2f705b90f7a88f4a6b88da1736486a9a43c4ce87e014f958f7088c

Download Submit
memory/4548-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-35-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-104-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-103-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-116-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-107-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-118-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-108-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-120-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-114-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4548-117-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4576-1-0x00000000026C0000-0x000000000287D000-memory.dmp

Filesize
1.7MB

Download
memory/4576-2-0x0000000002880000-0x0000000002A37000-memory.dmp

Filesize
1.7MB

Download