bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6

Resubmissions

26/04/2024, 07:57

240426-jtn28acb7z 7

26/04/2024, 07:57

26/04/2024, 07:57

26/04/2024, 07:57

26/04/2024, 07:57

25/04/2024, 13:12

Analysis

max time kernel
1197s
max time network
1203s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26/04/2024, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
Size

1.8MB
MD5

a5373af0c48a42a8ba50434e68766ba9
SHA1

40e532e24c32a1f68d127f0598c96cf5e03af00f
SHA256

bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6
SHA512

a526c9d6797af5c6071bfb60b0b9cc540e08ac7af9ac16d977dd86bfd81e3013fb6cf763f3397b8be3d03ac02013045d2761c956c4687b270e105fd2b2065ebf
SSDEEP

49152:lsE6hiwv8oNhqbOpn1jJz5eRY4YSl+COVA:G1hF1CkFwRY4YSkCO

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/3824-2-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-17-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-18-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-30-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-31-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-35-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-42-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-74-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-81-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-82-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-83-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-101-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-102-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-103-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-104-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-109-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-110-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-111-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-112-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-113-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-114-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-115-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-119-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-120-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-121-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-122-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-123-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-124-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-128-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3824-132-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4788 set thread context of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3824	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
3824	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
3824	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
3824	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
3824	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
3824	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73
PID 4788 wrote to memory of 3824	4788	bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe	73

C:\Users\Admin\AppData\Local\Temp\bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
"C:\Users\Admin\AppData\Local\Temp\bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe
  "C:\Users\Admin\AppData\Local\Temp\bf711a804180be42b3e783997bc96c0b57e55a84c8fb9c91b8f85356d16d66a6.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.5MB

MD5
72b9fd75f34c5bd6a42cb6d59df73908

SHA1
e7f78566af114217bba2cdbc9481fd878808dea6

SHA256
1ea9e7568b8da6e7e1d3aee7e138589cadec89773fddb27c993c95aea40b474b

SHA512
38af11ab7e522dcae5d8f0d99c99d439ee2ab007b6c4622370c4ef31d1f8a182262d126e4ac1a0c335605391d5fcea41809ec78af64e55bbea50a9560851807a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
5.9MB

MD5
04876c9d3ff7be42ca8ff8e4e708868c

SHA1
8d7e8271269e1ef5e0917ac0093bfc788b586252

SHA256
867c3f2e4256bcdf5754ba29f987e8dd3620e8ed0654d0ca468ac559e87d89f9

SHA512
ebc28fc7e2aa0d2e6deff71c6ac4145501035e9f9abe5c37ebd0168e7793c5826b824569d528fbc710c4121419ae54f7dbb837a13e3ab2ba8688a909ae55c6d9

Download Submit
memory/3824-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-134-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-2-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-17-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-18-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-133-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-30-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-31-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-35-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-42-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-74-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-115-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-101-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-102-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-103-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-104-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-109-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-110-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-111-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-112-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-113-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-114-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-119-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-120-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-121-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-122-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-123-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-124-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-128-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3824-132-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4788-4-0x00000000026F0000-0x00000000028A7000-memory.dmp

Filesize
1.7MB

Download
memory/4788-1-0x0000000002520000-0x00000000026E2000-memory.dmp

Filesize
1.8MB

Download