532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0

General

Target

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
Size

1.8MB
MD5

3a63a81a00f53dd4395c50ec432b182e
SHA1

591f1577dfdc0c3b272d54d0c95121b739ccf886
SHA256

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0
SHA512

ca04d4be3d4beb43037c0dc4a7264b63db7ec3d21d6eb4340418fd3cb320d631e40cd6cd6659dc3e176e1b4e1d2327384c5a7a56ddb5880efbe690d3cc15a005
SSDEEP

49152:BWNWvJ/aS8JCfmIa2Wtu5800SjRoCOAzU:BWMvJ/gsiSllO2

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-3-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-5-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-9-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-6-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-8-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-10-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-11-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-25-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-41-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-42-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-43-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-47-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-48-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-51-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-55-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-56-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-60-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-61-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-62-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-63-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-64-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral1/memory/2044-68-0x0000000000400000-0x0000000000848000-memory.dmp	UPX

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-10-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-11-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-41-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-42-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-43-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-47-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-48-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-56-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-60-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-61-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-62-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-63-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-64-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral1/memory/2044-68-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

description	pid	process	target process
PID 3040 set thread context of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

pid	process
2044	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
2044	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
2044	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

description	pid	process	target process
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 3040 wrote to memory of 2044	3040	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
"C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
"C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.4MB

MD5
d31c44ba0c8b93109f493c820cc4ca5b

SHA1
5f321115e54c0ba64080a2567c6962f7c0277195

SHA256
ad0643326174a170ff9eb5c1b81f7f62d7381ae1ac18022041d52aacb661122c

SHA512
354dc23d508df8d471ac46edcea088a9a786b5b1195531f4a625259424ae3cacc92d9799a5646af6442f55f3f8f4e369fc757eacd05e59fbaee52bfaa35985db

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
8.0MB

MD5
6b51756c1190d6b456684b57a66d0b2d

SHA1
9d19b5af154d671b7b95862fdf4d4b49a107b658

SHA256
6a0cb0d2a634eeb79f124af1bbd6fec63f79fe5b1aee2a716f9604158482fdac

SHA512
29db947e5967c59e95e2e412293f0baf1a1532f0d7b0042555b4c86c7d552485a81fe795308e310fd9f3d0b5c3b53bd84b75e436b220e2fc0ae56c08d4978887

Download Submit
memory/2044-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-61-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-62-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-64-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-10-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-11-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-63-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-68-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-41-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-42-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-43-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-47-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-48-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-56-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-60-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2044-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/3040-4-0x0000000004780000-0x0000000004938000-memory.dmp

Filesize
1.7MB

Download
memory/3040-34-0x0000000004780000-0x0000000004938000-memory.dmp

Filesize
1.7MB

Download
memory/3040-0-0x0000000004780000-0x0000000004938000-memory.dmp

Filesize
1.7MB

Download
memory/3040-7-0x0000000004940000-0x0000000004AF7000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads