c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2

Resubmissions

17/04/2024, 09:08

240417-k365tscb7t 7

17/04/2024, 09:08

17/04/2024, 09:08

17/04/2024, 09:08

17/04/2024, 09:08

17/04/2024, 06:27

Analysis

max time kernel
293s
max time network
299s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe
Size

1.7MB
MD5

e102369339e77c6fbf23ab781f6fc83d
SHA1

fe9ec598339f34d790facb557bab2fc7364ec7f0
SHA256

c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2
SHA512

3600ffedd78f99e52088a6f91b55ebc0754b9d13599bbd49889d47a0ec3ff3c1fdfeaa73880449019f94b48996343bb15f9a9582377cebc4605321673ce9b923
SSDEEP

24576:ZNWCaKUy52nfgmSd41dySQx/ImbL9lUT+mzGmFBMRTivxVLjh4K+rNuC63d97rG:ayQPSd42SWIyOzbBMcxVLd3q0CQP

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2064-5-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-7-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-8-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-9-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-10-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-11-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-16-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-17-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-18-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-27-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-44-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-48-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-51-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-53-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-54-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-58-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-59-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-60-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-61-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-62-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-66-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-67-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-68-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-70-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-71-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-72-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-76-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-77-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-78-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-79-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-80-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-84-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-88-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-89-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-90-0x0000000000400000-0x00000000007A3000-memory.dmp	upx
behavioral2/memory/2064-94-0x0000000000400000-0x00000000007A3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2064	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe
2064	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe
2064	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28
PID 2960 wrote to memory of 2064	2960	c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe	28

C:\Users\Admin\AppData\Local\Temp\c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe
"C:\Users\Admin\AppData\Local\Temp\c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe
  "C:\Users\Admin\AppData\Local\Temp\c01adf631e11c792e61e9cb90bdbd459f71651eea586d5f82078654246631db2.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
4d5872fc6d706e7ce4f0eefa44626874

SHA1
b26e9d2c21bc763afd3203deaa5a9a1377a6c3c0

SHA256
35c720faed73178e4f408f59201fff95dce43e7863bd61337f67c26e8404c9c1

SHA512
e634e56318e3e8e0da4b071398558aaf9ebe81dbe2d631dcb937e621bb74a5d3632c3791ed9ade312b900c1addf6b800b62e3da6520b98248a13649ef67223f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
9.6MB

MD5
0960c7fc88a5581f858534ef5b58a124

SHA1
bdd6063079274395e3e6ae72931e81c87c308551

SHA256
684846b21cf546c2e9d880259432dcbc0e0179d68e743e1abfcb86c4a5aeecf9

SHA512
aa1aabeb04e0fcc28f3571c8ab6e87f8a254fca85bf6ece1017a52bf1a074c0358bec4858001eb4288c6804892a1822b687d7f6c9cbbafff3554699c7873de50

Download Submit
memory/2064-54-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-44-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-94-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-7-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-8-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-9-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-10-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-11-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-16-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-17-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-18-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-27-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-90-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-58-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-48-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-51-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-53-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-5-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-89-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-67-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-60-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-61-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-62-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-66-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-59-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-68-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-70-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-71-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-72-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-76-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-77-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-78-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-79-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-80-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-84-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2064-88-0x0000000000400000-0x00000000007A3000-memory.dmp

Filesize
3.6MB

Download
memory/2960-0-0x0000000001F60000-0x00000000020E3000-memory.dmp

Filesize
1.5MB

Download
memory/2960-2-0x0000000001F60000-0x00000000020E3000-memory.dmp

Filesize
1.5MB

Download
memory/2960-4-0x00000000020F0000-0x0000000002273000-memory.dmp

Filesize
1.5MB

Download