96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2

General

Target

96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
Size

1.9MB
MD5

1b5058c908a0644e00c5d4cffadc848b
SHA1

fb82054dc5a2063b279487556888c7d50f258cd1
SHA256

96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2
SHA512

70ed4fc7f8b40c5e39ee593359f93ffdbc1494e87ec6fc21eb9615581be9c38f307098ebcecf8fcf61e9b14b92649603debbdc382a8901e9ee7b0183c70b4873
SSDEEP

49152:SzR0AzPFO8AIlpFyl9aQ6r6p5Dp/+4sLcO9dx:CCAzPTG9a6jR+x9dx

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3416-1-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-22-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-23-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-31-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-35-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-36-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-37-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-40-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-104-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-107-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-106-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-102-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/3416-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3416	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
3416	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
3416	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
3416	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
3416	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
3416	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84
PID 1748 wrote to memory of 3416	1748	96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe	84

C:\Users\Admin\AppData\Local\Temp\96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
"C:\Users\Admin\AppData\Local\Temp\96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe
  "C:\Users\Admin\AppData\Local\Temp\96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.5MB

MD5
8b81b9a8ccb2f0ff0ef948aaf107371e

SHA1
9f7067b584911a3abdefdaea3d970bcb9e05f920

SHA256
98ffa9adefb64de74ae8992e0ac65b91ee2e98e71289aa4fdd49b914d92af740

SHA512
c82ce33f478ff669f6fbc05cc9cbdcb3affcd0381d993fcc29cd586c622fb0d735ef568023951b99ba673d225c04fc333e728d774ac6f81852bc564c30d3d9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
7.1MB

MD5
04fc139b1a0e3b62452f015e57def9b1

SHA1
c381ebed08b8e0f23eb4f5d21c77d9cbd7637628

SHA256
6095e1280a7c35c121f6813fc01906a731ad9802af44ad69ccd780298d1ad1d3

SHA512
11892939ab9b3f61aec7286dd2f5eda1339f9bbf8cc014953ef06951867ee53b4f016b48ecdf8245474016a938752d4f1cbd461cfbe2af9975db7d288dcf418c

Download Submit
memory/1748-2-0x00000000037D0000-0x000000000398F000-memory.dmp

Filesize
1.7MB

Download
memory/1748-5-0x0000000003990000-0x0000000003B47000-memory.dmp

Filesize
1.7MB

Download
memory/3416-36-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-22-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-23-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-31-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-35-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-1-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-37-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-40-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-104-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-107-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-106-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-102-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3416-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads