ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81

Resubmissions

07/05/2024, 08:48

240507-kqly5abh68 10

07/05/2024, 08:48

07/05/2024, 08:48

07/05/2024, 08:48

07/05/2024, 08:48

25/04/2024, 13:13

Analysis

max time kernel
1791s
max time network
1804s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/05/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
Size

1.9MB
MD5

c4ee55c8f75cf73eb54594775e06a94a
SHA1

3604f680c80cd43621ca45dc911e61e14cf24cb6
SHA256

ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81
SHA512

f13b63c25aba363d81f98ed3a14808f64865ba13f1956adffd0f5202a20c2c51a294519e030d079fa5825a88cf6066ad13db4257c00eadfa873a55b2c4acbc18
SSDEEP

49152:d/bZlebN53l9AsH7yGkm0IP9C/+7iNQXf3DLXrvjA:Ubn3zAu7l50SC2+CTT

Score

10^/10

discovery persistence upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
xi-tech.com
Port:
21
Username:
[email protected]
Password:
B2aster234stro2730

Extracted

Credentials

Protocol: ftp
Host:
commerzdirektservice.de
Port:
21
Username:
[email protected]
Password:
E7m

Extracted

Credentials

Protocol: ftp
Host:
www.commerzdirektservice.de
Port:
21
Username:
ayseguel.karslioglu
Password:
E7m

Signatures

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/3164-1-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-2-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-33-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-39-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-40-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-42-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-65-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-66-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-70-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-71-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-72-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-73-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-77-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-78-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-79-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-94-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-93-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-112-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-111-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-110-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-108-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-107-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-105-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-103-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-101-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-99-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-97-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-95-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-92-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-91-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-89-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-87-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-86-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-113-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-109-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-106-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-104-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-102-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-100-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-98-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-96-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-80-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-90-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-88-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral3/memory/3164-85-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10984	3164	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3164	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
3164	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
3164	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
3164	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
3164	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
3164	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72
PID 4800 wrote to memory of 3164	4800	ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe	72

C:\Users\Admin\AppData\Local\Temp\ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
"C:\Users\Admin\AppData\Local\Temp\ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe
  "C:\Users\Admin\AppData\Local\Temp\ceaab53560fe27d25ae139dd736a26f32daf3a1b3ce8410c1153a422205dea81.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 43188
    3⤵
    - Program crash
    PID:10984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.4MB

MD5
dde78eff34a6e66b6ea6d178bc426549

SHA1
b253863b59f1502d06dfbcd3dd14313fe44c9e78

SHA256
a869e89870d10561112f15016a20789dae97004d52c3258ddc11e0ebbc91137e

SHA512
343452cd55b21a98f663e3cede0d29f77545f03c93cb0a3caa06160419991023226e03e957cda1cc3ef9bcfcf0dc7a103f875048971f9b6eb94133448e410141

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
6.6MB

MD5
a909aa891bfe94251270d7c8b5db6cb7

SHA1
a41300f005ee65eedcba209d056c7ffc40795cc8

SHA256
7c8bbf9dd4f5dc346dd1080e982cda0939dba23d54e17d1f5548029556196b2f

SHA512
7016419ce42f67535954d019d27d7ce54ac124b4c2d2b79f857f9a8fccee52d521885517b618a77f98189cced19eeb4fb8d06984b8a00d5edd8fe254edae24a5

Download Submit
memory/3164-79-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-112-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-2-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-33-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-39-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-40-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-42-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-65-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-66-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-70-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-71-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-72-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-73-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-77-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-78-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-1-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-111-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-93-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-94-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-110-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-108-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-107-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-105-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-103-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-101-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-99-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-97-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-95-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-92-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-91-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-89-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-87-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-86-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-113-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-109-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-106-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-104-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-102-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-100-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-98-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-96-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-80-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-90-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-88-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-85-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-83-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-82-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3164-81-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4800-5-0x00000000027A0000-0x0000000002957000-memory.dmp

Filesize
1.7MB

Download
memory/4800-3-0x00000000024D0000-0x0000000002692000-memory.dmp

Filesize
1.8MB

Download