b9afb9c819302396858d2966371d904d9dd8661da835fd0ccc74758aae84e519

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WolframAV.exe
Size

2.6MB
MD5

ba371189ab70090c298d92d502e130e5
SHA1

28b6c0172da07a81ab58f5e71654b047914f3f89
SHA256

b9afb9c819302396858d2966371d904d9dd8661da835fd0ccc74758aae84e519
SHA512

a8d8b26afe4b1846b96d264a4d97d364a77adc698a4c14b26014742f59e611defb54f90a4c185004ac05d02e3e51de3b35e48853b6ef5c205b55d112f5260ace
SSDEEP

49152:PmolhL7w73ArxJ5+loYuQhxzjFFv8yL1ObXKv624vPQWz/mMOr5Cw9/mx:PThfw7QrxJ5SoYJhxz/rGXk6pB/m1VCF

Score

7^/10

upx

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe	Wolfram Antivirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe	Wolfram Antivirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe	csrss.exe

Executes dropped EXE 6 IoCs

pid	Process
3048	Wolfram Antivirus.exe
2592	csrss.exe
2612	csrss.exe
2516	csrss.exe
2424	csrss.exe
2672	csrss.exe

Loads dropped DLL 9 IoCs

pid	Process
332	WolframAV.exe
332	WolframAV.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
2612	csrss.exe
2612	csrss.exe
2424	csrss.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/332-1-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx
behavioral1/memory/332-3-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx
behavioral1/memory/332-12-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx
behavioral1/memory/3048-15-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx
behavioral1/memory/3048-28-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx
behavioral1/memory/3048-70-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx
behavioral1/memory/3048-93-0x0000000000400000-0x0000000000CE9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
332	WolframAV.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe
3048	Wolfram Antivirus.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 3048	332	WolframAV.exe	28
PID 332 wrote to memory of 3048	332	WolframAV.exe	28
PID 332 wrote to memory of 3048	332	WolframAV.exe	28
PID 332 wrote to memory of 3048	332	WolframAV.exe	28
PID 3048 wrote to memory of 2592	3048	Wolfram Antivirus.exe	29
PID 3048 wrote to memory of 2592	3048	Wolfram Antivirus.exe	29
PID 3048 wrote to memory of 2592	3048	Wolfram Antivirus.exe	29
PID 3048 wrote to memory of 2592	3048	Wolfram Antivirus.exe	29
PID 2592 wrote to memory of 2612	2592	csrss.exe	30
PID 2592 wrote to memory of 2612	2592	csrss.exe	30
PID 2592 wrote to memory of 2612	2592	csrss.exe	30
PID 2592 wrote to memory of 2612	2592	csrss.exe	30
PID 2612 wrote to memory of 2516	2612	csrss.exe	31
PID 2612 wrote to memory of 2516	2612	csrss.exe	31
PID 2612 wrote to memory of 2516	2612	csrss.exe	31
PID 2612 wrote to memory of 2516	2612	csrss.exe	31
PID 2516 wrote to memory of 2424	2516	csrss.exe	33
PID 2516 wrote to memory of 2424	2516	csrss.exe	33
PID 2516 wrote to memory of 2424	2516	csrss.exe	33
PID 2516 wrote to memory of 2424	2516	csrss.exe	33
PID 2424 wrote to memory of 2672	2424	csrss.exe	34
PID 2424 wrote to memory of 2672	2424	csrss.exe	34
PID 2424 wrote to memory of 2672	2424	csrss.exe	34
PID 2424 wrote to memory of 2672	2424	csrss.exe	34

C:\Users\Admin\AppData\Local\Temp\WolframAV.exe
"C:\Users\Admin\AppData\Local\Temp\WolframAV.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\Wolfram Antivirus.exe
  "C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\Wolfram Antivirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe
      a execC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe
        
        a execC:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe"
        7⤵
        Executes dropped EXE
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.exe

Filesize
222KB

MD5
756a066bf0e8727906bfd186206c7c03

SHA1
7963fdaed6722a2dc39592c90ce7d383b2bc0382

SHA256
49e6d55da821572afbb0342716840d069f210e0a73a38e9dc9026a1b633f1c7d

SHA512
74660bb8ed05238fcc884febd8405b69640d375003b24beba8db5b4c25c05efebbad47a76f8fd4ca30f39da0d5f65b4a8cc4f663117e524bba4728692442cb3f

Download Submit
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\csrss.exe

Filesize
222KB

MD5
08bd665ba70ed5c9df9ca94b52f283ac

SHA1
dc7fd2f628a388943677328fa62c430df12bfd4a

SHA256
e405a76f5599eff5049a7360684ea87e69e67794b95370d17a35e31cefdaec84

SHA512
1394475d6a92e090dae49a966ce48f20f928ea953b1c3f22e3613bd11dfd3e43181cb5f429b5b370d8b45909857e030108d522b470915a03f3cbdbf4cbbbb53c

Download Submit
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\wf.conf

Filesize
300B

MD5
a167ced21eb752e50a6bf89a363ad184

SHA1
921c478cbeb2a8d51355f81e2497b758999a4cbd

SHA256
be73d200d75ac45707c9d158449154fdb845f6ac60711db61abe26c53dc1467e

SHA512
38b0c64b342f718a4c7daf31e84c35affee19951dba267fff4cfad067e24da517b98f106fe5559021052d25d7fd2f8d8ee0bc5aa91cde5d1b8f61f304cf669c2

Download Submit
C:\Users\Admin\AppData\Roaming\Wolfram Antivirus\wf.conf

Filesize
901B

MD5
d51d70611f30b71d189b019c365f849d

SHA1
e0dea96f35203562f857a5eff84b412dd5d24794

SHA256
013464e0971ed6cc613a18758c869f65b6281bd94adc860a0869d1980848627f

SHA512
3aaa30873d803721bc963289bb8facb96bf6ed6547205595492f446726892459874280a6ee4343de6e02334d4edddb180cc0ee6bbbc44b596a007af4530066e1

Download Submit
\Users\Admin\AppData\Roaming\Wolfram Antivirus\Wolfram Antivirus.exe

Filesize
2.6MB

MD5
ba371189ab70090c298d92d502e130e5

SHA1
28b6c0172da07a81ab58f5e71654b047914f3f89

SHA256
b9afb9c819302396858d2966371d904d9dd8661da835fd0ccc74758aae84e519

SHA512
a8d8b26afe4b1846b96d264a4d97d364a77adc698a4c14b26014742f59e611defb54f90a4c185004ac05d02e3e51de3b35e48853b6ef5c205b55d112f5260ace

Download Submit
memory/332-0-0x0000000002AF0000-0x0000000002C65000-memory.dmp

Filesize
1.5MB

Download
memory/332-1-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/332-3-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/332-12-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/2424-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2516-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2592-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-28-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/3048-70-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/3048-15-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download
memory/3048-13-0x0000000002920000-0x0000000002A95000-memory.dmp

Filesize
1.5MB

Download
memory/3048-93-0x0000000000400000-0x0000000000CE9000-memory.dmp

Filesize
8.9MB

Download