532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0

General

Target

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
Size

1.8MB
MD5

3a63a81a00f53dd4395c50ec432b182e
SHA1

591f1577dfdc0c3b272d54d0c95121b739ccf886
SHA256

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0
SHA512

ca04d4be3d4beb43037c0dc4a7264b63db7ec3d21d6eb4340418fd3cb320d631e40cd6cd6659dc3e176e1b4e1d2327384c5a7a56ddb5880efbe690d3cc15a005
SSDEEP

49152:BWNWvJ/aS8JCfmIa2Wtu5800SjRoCOAzU:BWMvJ/gsiSllO2

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5036-3-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-5-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-6-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-7-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-8-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-9-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-25-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-27-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-28-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-40-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-44-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-45-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-46-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-49-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-50-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-51-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-52-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-53-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-54-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-55-0x0000000000400000-0x0000000000848000-memory.dmp	UPX
behavioral2/memory/5036-58-0x0000000000400000-0x0000000000848000-memory.dmp	UPX

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5036-3-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-5-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-6-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-7-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-8-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-9-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-25-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-27-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-28-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-40-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-44-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-45-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-46-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-49-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-50-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-51-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-52-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-53-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-54-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-55-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/5036-58-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

description	pid	process	target process
PID 4764 set thread context of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

pid	process
5036	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
5036	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
5036	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
5036	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
5036	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
5036	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

description	pid	process	target process
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
PID 4764 wrote to memory of 5036	4764	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe	532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe

C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
"C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe
"C:\Users\Admin\AppData\Local\Temp\532c9475c54e38bf156e9832f784be442e372428efb9920f4dcac0e722dc1bc0.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.4MB

MD5
d31c44ba0c8b93109f493c820cc4ca5b

SHA1
5f321115e54c0ba64080a2567c6962f7c0277195

SHA256
ad0643326174a170ff9eb5c1b81f7f62d7381ae1ac18022041d52aacb661122c

SHA512
354dc23d508df8d471ac46edcea088a9a786b5b1195531f4a625259424ae3cacc92d9799a5646af6442f55f3f8f4e369fc757eacd05e59fbaee52bfaa35985db

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
14.4MB

MD5
bd8b2758e016f0aa4c375178ab038d01

SHA1
9d6de688f63623ec073bbe27994abd3c388bb360

SHA256
7c92635c33cb4bbd2b169de15828e00e2cc3c1c95f561933e24b76f5b8f4a268

SHA512
8530ef57b3b037dccf3bffea084d6770882d9960c240b98d17ba472c025392f860f1b4a048a9d1debb1a8a5bc72841a9d5cd989e53b08e9850fe373a54054597

Download Submit
memory/4764-1-0x0000000004D00000-0x0000000004EBD000-memory.dmp

Filesize
1.7MB

Download
memory/4764-2-0x0000000004EC0000-0x0000000005077000-memory.dmp

Filesize
1.7MB

Download
memory/5036-8-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-45-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-6-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-9-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-5-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-25-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-27-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-28-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-3-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-40-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-44-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-7-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-46-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-49-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-50-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-51-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-52-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-53-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-54-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/5036-58-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads