9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40

Resubmissions

26-04-2024 07:51

240426-jp4xwacb3v 10

26-04-2024 07:51

26-04-2024 07:51

26-04-2024 07:51

26-04-2024 07:51

25-04-2024 12:59

Analysis

max time kernel
296s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
Size

1.9MB
MD5

1457ef90efde49a7ee83080ce051d6f7
SHA1

8ca6d983fe2997fa7009458383b84e0d1edeb279
SHA256

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40
SHA512

582628e02510812e0ed06cc05a1bfb98e96f019935efb71d23dd94745a0c5db12771bf0c81579dd7ad4f44b90e7192b95d5d2ed4a6649adc00b486c28df643d0
SSDEEP

49152:Vbe6aahW7iaBUHvG+vxz90ChL0WF+UIGDDS/NL:vaaA7iYb+dtQWFZvSR

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/1924-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-22-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-23-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-24-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-26-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-28-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-33-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-36-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-37-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-38-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-104-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-103-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-107-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-101-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral4/memory/1924-110-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 37 IoCs

Web Service

T1102

Processes:

flow	ioc
105	imap.9607f5e2e672.ngrok.io
2699	mailgate.9607f5e2e672.ngrok.io
5109	mail.9607f5e2e672.ngrok.io
6027	mail.9607f5e2e672.ngrok.io
6330	9607f5e2e672.ngrok.io
6365	9607f5e2e672.ngrok.io
8283	mail.9607f5e2e672.ngrok.io
8030	pop3.9607f5e2e672.ngrok.io
4515	9607f5e2e672.ngrok.io
6366	ssh.9607f5e2e672.ngrok.io
7017	9607f5e2e672.ngrok.io
9760	mailgate.9607f5e2e672.ngrok.io
12963	relay.9607f5e2e672.ngrok.io
4812	ftp.9607f5e2e672.ngrok.io
7082	relay.9607f5e2e672.ngrok.io
7192	ssh.9607f5e2e672.ngrok.io
9294	relay.9607f5e2e672.ngrok.io
9902	relay.9607f5e2e672.ngrok.io
12325	mailgate.9607f5e2e672.ngrok.io
4814	mail.9607f5e2e672.ngrok.io
6756	imap.9607f5e2e672.ngrok.io
7190	pop.9607f5e2e672.ngrok.io
9210	relay.9607f5e2e672.ngrok.io
5096	9607f5e2e672.ngrok.io
5584	9607f5e2e672.ngrok.io
5840	ftp.9607f5e2e672.ngrok.io
9315	mailgate.9607f5e2e672.ngrok.io
10522	smtp.9607f5e2e672.ngrok.io
11230	mailgate.9607f5e2e672.ngrok.io
4782	pop.9607f5e2e672.ngrok.io
9340	mail.9607f5e2e672.ngrok.io
9896	smtp.9607f5e2e672.ngrok.io
1809	9607f5e2e672.ngrok.io
1999	9607f5e2e672.ngrok.io
2683	9607f5e2e672.ngrok.io
7470	mail.9607f5e2e672.ngrok.io
11657	mailgate.9607f5e2e672.ngrok.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

description	pid	process	target process
PID 4904 set thread context of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

pid	process
1924	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
1924	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
1924	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
1924	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
1924	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
1924	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

description	pid	process	target process
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 4904 wrote to memory of 1924	4904	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
"C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
"C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
Filesize
2.5MB

MD5
940b2445aec8067b3e55fd525cfc68f8

SHA1
dcd03811fbe29b63511458737570d61f0086dcba

SHA256
fa705ef3d922d181c9d84af2658788e69ea86c0d12f04602d12b29f10aa220b5

SHA512
c27cb8652324dfd4aef8522d5768bc2d54d84554e0f0f6dbe16b053224f8dedba772cc77c79cc8ff749fe2985639d691f8205953f4f080ce91a3cff9083b9aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
Filesize
7.0MB

MD5
da7f6a6171873d204c66ab9dbf639a27

SHA1
deac8385f57fb9f15841faaf9834e4e3cec1ecbe

SHA256
5414b1d01714f2110c03bc17e287934df9e658c71a13dc639608da5ee293f344

SHA512
9721e444a81fa254942cd08cea1fafc3237d2b2f00e9704ae1d26b4bfddc83f25f6ccc4e531bafb4708a85183907dcacc2c6984d56698bf7e4e632a090a1556e

Download Submit
memory/1924-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-22-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-23-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-24-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-26-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-28-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-33-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-36-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-37-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-38-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-104-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-103-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-107-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-101-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1924-110-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4904-1-0x0000000002800000-0x00000000029C6000-memory.dmp

Filesize
1.8MB

Download
memory/4904-2-0x00000000029D0000-0x0000000002B87000-memory.dmp

Filesize
1.7MB

Download