ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193

General

Target

ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
Size

308KB
MD5

8126da4845b543f905d79b972f48db07
SHA1

89f0d08a2eedaedbd2b99ea90a328c8f07d9b287
SHA256

ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193
SHA512

461273eeca477ef644a916a5b26a2763c325cab7e3765f862939c460123adc31ecd730fca69c5b1da50a8cd5e6dbbec053d35b999e64d06cb090e00f74426cd2
SSDEEP

3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2320-147667-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2320-147671-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2320-147673-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2320-147674-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2320-147675-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2320-156681-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2432	csrsll.exe

Loads dropped DLL 5 IoCs

pid	Process
2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-147665-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2320-147667-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2320-147671-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2320-147673-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2320-147674-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2320-147675-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2320-156681-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
2432	csrsll.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2456 wrote to memory of 2320	2456	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	30
PID 2320 wrote to memory of 812	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	31
PID 2320 wrote to memory of 812	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	31
PID 2320 wrote to memory of 812	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	31
PID 2320 wrote to memory of 812	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	31
PID 812 wrote to memory of 2276	812	cmd.exe	33
PID 812 wrote to memory of 2276	812	cmd.exe	33
PID 812 wrote to memory of 2276	812	cmd.exe	33
PID 812 wrote to memory of 2276	812	cmd.exe	33
PID 2320 wrote to memory of 2432	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	34
PID 2320 wrote to memory of 2432	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	34
PID 2320 wrote to memory of 2432	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	34
PID 2320 wrote to memory of 2432	2320	ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe	34

C:\Users\Admin\AppData\Local\Temp\ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
"C:\Users\Admin\AppData\Local\Temp\ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe
  "C:\Users\Admin\AppData\Local\Temp\ba257cd5df7d3d6ffdbc7a76cc0744cddf261f5407eb38a195081ce6391bb193.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NVNAC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
      4⤵
      Adds Run key to start application
      PID:2276
- - C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NVNAC.bat

Filesize
145B

MD5
4eb61ec7816c34ec8c125acadc57ec1b

SHA1
b0015cc865c0bb1a027be663027d3829401a31cc

SHA256
08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

SHA512
f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

Filesize
308KB

MD5
e6a1e6b2d026387924ec53013898fd47

SHA1
9335bf54c485553f7d9dbf836faac86d27003ea5

SHA256
7ad859b83a48541924c6e1b87ff0dd207e8406749db6136d9a601f46a0add767

SHA512
1e753c670bb1fd98f62ec1bf9a530f40811b702620a9a39516cbd3d2eb07644ccdfd586eab83b0977430c393c0c9a6949da988e208fae81264565995073596f5

Download Submit
memory/2320-147663-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-147673-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-156681-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-147665-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-147667-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-147669-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-147671-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-147675-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2320-147674-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2432-147715-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-178729-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2456-147662-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2456-39536-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2456-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2456-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads