534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c

General

Target

534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
Size

1.9MB
MD5

72929dc9cd7ff04c903459f70d0756a6
SHA1

ecc70471eec1491257d0b954e92484a666b15a81
SHA256

534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c
SHA512

1bfb064e45d906fd6fa7c75f3a32cb4a27cb32f3dd3564334d6573d5430e465d6929a1330905f42c81bb538976cccc7c9e10ed60e36b1884e12c797720983d47
SSDEEP

49152:QGJTeLOqwizFY/f1QRv41eaTNGC0Y8ZxMjI6IeLH3q:T1wOqwMY/Kv41VfBJj

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 21 IoCs

resource	yara_rule
behavioral2/memory/372-4-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-7-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-6-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-5-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-3-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-8-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-9-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-14-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-15-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-16-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-32-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-36-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-47-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-51-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-52-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-53-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-57-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-58-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-59-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-60-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/372-64-0x0000000000400000-0x0000000000848000-memory.dmp	UPX

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/372-4-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-14-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-15-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-16-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-32-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-36-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-57-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-59-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/372-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
372	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
372	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
372	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
372	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
372	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
372	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85
PID 4656 wrote to memory of 372	4656	534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe	85

C:\Users\Admin\AppData\Local\Temp\534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
"C:\Users\Admin\AppData\Local\Temp\534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe
  "C:\Users\Admin\AppData\Local\Temp\534b0503426f82746a3b5b8588e8c98312230c2e41979190638416d86a67009c.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.5MB

MD5
043a57b2f0098251466f734784501fcb

SHA1
86d8a7bca769a1053467b0b7d9f89329a6f3c1e1

SHA256
ea82f52ee5c4e2cfd171376a84d158fe28511938f28890614f1f7d9aafe5cd76

SHA512
9f1d06e596324b0d324a1fa985eec08791ee53b6c969c8ce39e9e83193e226b9c50b86462da2be03bb833c50cf3361e9eed36ecd7003c58596d2c215a21e89b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
8.1MB

MD5
8093af2c399610533df32a6b256d5e53

SHA1
25aa323ffcc054dd65d9ba5aae91a5589d7542be

SHA256
a83fec5fad23fd772e6277f8726b4bb2b6c5b439a5d27c4cb65cdc5078d27aac

SHA512
6af259ff981c067a56610d523be2a196aba3599caec7e7c8a39434e5e8ef29d842049aa70aaaf7cc00751634d8bcdcec9fdc10b4c8466edf2f8eca653bd7cfbc

Download Submit
memory/372-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-15-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-32-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-16-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-4-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-14-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-36-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/372-59-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/4656-2-0x0000000002400000-0x00000000025B7000-memory.dmp

Filesize
1.7MB

Download
memory/4656-1-0x0000000002230000-0x00000000023F1000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads