1cb4c10677c85913e9aa8ed784055dc00c4c1c9e569fdb8130e1356e52915faa

Analysis

Target

zupal32.bin.exe
Size

5.2MB
MD5

3ab9af930facd4f8d7e0d49bf7077034
SHA1

00d53122b01f8939369f90e8ecb4b560b4d5e4a2
SHA256

ade0d7fbdcb34d7cbd220beb9c3c2484f7ce05c11043bd5ed64df239f5039ba7
SHA512

376ed0d9bc696d6f1a10e2cb67f170870aff32aa6e3e4f6b5a5f4da85116afaa6b2e7b5e6652ca8361524ebf55effe7394bc888d674afc3d99b7745476129633

Score

1^/10

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

Systeminfo.exe

pid process

1696 Systeminfo.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 5 Go-http-client/1.1

pid	process
1696	Systeminfo.exe

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

zupal32.bin.exe

description	pid	process	target process
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	Systeminfo.exe
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	Systeminfo.exe
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	Systeminfo.exe
PID 1316 wrote to memory of 1696	1316	zupal32.bin.exe	Systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\zupal32.bin.exe
"C:\Users\Admin\AppData\Local\Temp\zupal32.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\Systeminfo.exe
Systeminfo
2⤵
- Gathers system information
PID:1696

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1316-0-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download
memory/1696-1-0x0000000000000000-mapping.dmp

Download