9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40

Resubmissions

26-04-2024 07:51

240426-jp4xwacb3v 10

26-04-2024 07:51

26-04-2024 07:51

26-04-2024 07:51

26-04-2024 07:51

25-04-2024 12:59

Analysis

max time kernel
454s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
26-04-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
Size

1.9MB
MD5

1457ef90efde49a7ee83080ce051d6f7
SHA1

8ca6d983fe2997fa7009458383b84e0d1edeb279
SHA256

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40
SHA512

582628e02510812e0ed06cc05a1bfb98e96f019935efb71d23dd94745a0c5db12771bf0c81579dd7ad4f44b90e7192b95d5d2ed4a6649adc00b486c28df643d0
SSDEEP

49152:Vbe6aahW7iaBUHvG+vxz90ChL0WF+UIGDDS/NL:vaaA7iYb+dtQWFZvSR

Score

10^/10

discovery motw persistence phishing upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
gsbstb.apphost.in
Port:
21
Username:
[email protected]
Password:
Yatingr8

Extracted

Credentials

Protocol: ftp
Host:
gsbstb.apphost.in
Port:
21
Username:
24121206901
Password:
Yatingr8

Signatures

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/4144-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-17-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-26-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-29-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-33-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-38-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-39-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-40-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-67-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-69-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-75-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-76-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-109-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-106-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-104-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-102-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-107-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral5/memory/4144-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

Processes:

flow	ioc
9030	smtp.21b3496f.ngrok.io
6723	mail.21b3496f.ngrok.io
7004	ftp.21b3496f.ngrok.io
5081	21b3496f.ngrok.io
7846	21b3496f.ngrok.io
11620	relay.21b3496f.ngrok.io
7844	mail.21b3496f.ngrok.io
9525	smtp.21b3496f.ngrok.io
11390	mailgate.21b3496f.ngrok.io
5454	21b3496f.ngrok.io
5859	mailgate.21b3496f.ngrok.io
6797	21b3496f.ngrok.io
7530	mailgate.21b3496f.ngrok.io
7544	pop.21b3496f.ngrok.io
12694	relay.21b3496f.ngrok.io
4916	21b3496f.ngrok.io
5344	relay.21b3496f.ngrok.io
6760	ssh.21b3496f.ngrok.io
7970	pop3.21b3496f.ngrok.io
8570	imap.21b3496f.ngrok.io
8380	mail.21b3496f.ngrok.io
8482	mailgate.21b3496f.ngrok.io
12199	relay.21b3496f.ngrok.io
5441	relay.21b3496f.ngrok.io
5637	21b3496f.ngrok.io
7426	ssh.21b3496f.ngrok.io
7564	21b3496f.ngrok.io
7891	imap.21b3496f.ngrok.io
5832	21b3496f.ngrok.io
6590	21b3496f.ngrok.io
8963	mailgate.21b3496f.ngrok.io
6212	ftp.21b3496f.ngrok.io
7126	21b3496f.ngrok.io
7194	mail.21b3496f.ngrok.io
8981	mail.21b3496f.ngrok.io
10350	mailgate.21b3496f.ngrok.io

Mark of the Web detected: This indicates that the page was originally saved or cloned. 4 IoCs

phishing motw

Processes:

flow	ioc
2591	https://df.onecloud.azure-test.net/Error/UE_404?shown=true
3968	https://df.onecloud.azure-test.net/Error/UE_404?shown=true
2582	https://df.onecloud.azure-test.net/Error/UE_404?shown=true
2937	https://df.onecloud.azure-test.net/Error/UE_404?shown=true

Suspicious use of SetThreadContext 1 IoCs

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

description	pid	process	target process
PID 3224 set thread context of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

pid	process
4144	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
4144	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
4144	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
4144	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
4144	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
4144	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

description	pid	process	target process
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
PID 3224 wrote to memory of 4144	3224	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe	9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe

C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
"C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe
"C:\Users\Admin\AppData\Local\Temp\9bb0954a71edfd122a5e2b14850702a453fdbf5a632265337c0aee558bdd3e40.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4144

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus
Filesize
2.5MB

MD5
940b2445aec8067b3e55fd525cfc68f8

SHA1
dcd03811fbe29b63511458737570d61f0086dcba

SHA256
fa705ef3d922d181c9d84af2658788e69ea86c0d12f04602d12b29f10aa220b5

SHA512
c27cb8652324dfd4aef8522d5768bc2d54d84554e0f0f6dbe16b053224f8dedba772cc77c79cc8ff749fe2985639d691f8205953f4f080ce91a3cff9083b9aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
Filesize
5.7MB

MD5
fa06da80a62c45384833b90535e7a75d

SHA1
e1b189f413a98cd98ebce5f9bf9c0878d42b79ef

SHA256
be45e27586d10c5b00620a5e41acdab884e78c654bc9ceda7f7926ef3b8321ae

SHA512
706370da2999cbe93b764ff05a0fed2dfa058f79e991e6a28425e14622555de2a5c59c1c511810b7ba6797748592691ca76ea6fcb97ce5bc17c2f75f11e9b8a5

Download Submit
memory/3224-1-0x00000000026F0000-0x00000000028AF000-memory.dmp

Filesize
1.7MB

Download
memory/3224-2-0x00000000028B0000-0x0000000002A67000-memory.dmp

Filesize
1.7MB

Download
memory/4144-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-17-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-26-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-29-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-33-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-38-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-39-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-40-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-67-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-69-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-75-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-76-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-109-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-106-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-104-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-102-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-107-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4144-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download