a02d481dfeaec1333c9d756dc6b4a2d5cc1857c70fd28a7fadc8712a085bc70e

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-09-2023 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ffa18a6a11479eb8d6a8aac065f8758.exe
Size

28KB
MD5

8ffa18a6a11479eb8d6a8aac065f8758
SHA1

544b04bce8087a09ab405d71225fce4f4e49d8bb
SHA256

a02d481dfeaec1333c9d756dc6b4a2d5cc1857c70fd28a7fadc8712a085bc70e
SHA512

abfcb661379dd163e6604df5babafa8b9fa3c8d14306b064aece9b912656f89521a5e7fc7199442741a5d4080c2b8c898fe00c1df27bf648106d1dd7c42ce714
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNbj2R:Dv8IRRdsxq1DjJcqfM6R

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x000d000000012271-7.dat	upx
behavioral1/files/0x000d000000012271-9.dat	upx
behavioral1/memory/2132-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-17-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2132-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2132-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000500000000f6f1-71.dat	upx
behavioral1/memory/2696-569-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2132-570-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-573-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2132-574-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-575-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2132-576-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-580-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2132-581-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	8ffa18a6a11479eb8d6a8aac065f8758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	8ffa18a6a11479eb8d6a8aac065f8758.exe
File opened for modification	C:\Windows\java.exe	8ffa18a6a11479eb8d6a8aac065f8758.exe
File created	C:\Windows\java.exe	8ffa18a6a11479eb8d6a8aac065f8758.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	8ffa18a6a11479eb8d6a8aac065f8758.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	8ffa18a6a11479eb8d6a8aac065f8758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	8ffa18a6a11479eb8d6a8aac065f8758.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	8ffa18a6a11479eb8d6a8aac065f8758.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	8ffa18a6a11479eb8d6a8aac065f8758.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	8ffa18a6a11479eb8d6a8aac065f8758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	8ffa18a6a11479eb8d6a8aac065f8758.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	8ffa18a6a11479eb8d6a8aac065f8758.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2132	2696	8ffa18a6a11479eb8d6a8aac065f8758.exe	28
PID 2696 wrote to memory of 2132	2696	8ffa18a6a11479eb8d6a8aac065f8758.exe	28
PID 2696 wrote to memory of 2132	2696	8ffa18a6a11479eb8d6a8aac065f8758.exe	28
PID 2696 wrote to memory of 2132	2696	8ffa18a6a11479eb8d6a8aac065f8758.exe	28

C:\Users\Admin\AppData\Local\Temp\8ffa18a6a11479eb8d6a8aac065f8758.exe
"C:\Users\Admin\AppData\Local\Temp\8ffa18a6a11479eb8d6a8aac065f8758.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
02349ac80475f00b046026b7ac662316

SHA1
79682c24739b928a694e606aca8487d6199a002a

SHA256
66eba5499107b4e66f7816bb189cf29fb52d62b4bac59bf8e1e6de0a650a7be0

SHA512
a535df0a01ae3f3df169842cdf2f3daca3ed455d520dc19103301e8440062fafb85421120620c50c0099cc0d1f87194fc253f662da969a692c5bc2206084db98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7cc6c3d18b033298991b296e52851e0d

SHA1
0dc2d93714bd2f08e685a4f2a5f32c817cbef4bd

SHA256
80ba62296426ad4ee737285f89984c07b1548d4de55924c35fe9bfaa13155659

SHA512
2e0d306d6dbe10618bcf2251118073b33da8ec94a9ba21c6d4bca1f0a77e9d3057abb9d9938700e4770d44260a2d23ce1bad7beac4bad00f7ee10074b12aee9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e247bf2897c1350d886af5400e401d94

SHA1
c8b0b3d242660fbaf842dfbcb95428bdd9a2ba4f

SHA256
5cd0cbaf8f9dc3fc887433614e9966f49c556fc52330c9efea7e9619f6f38a8a

SHA512
1f8fd4c7cce661836709ea33e175173dc8179c6f33a17eaeaa322d4a78c6f3d77b6e5c06c61e6666e3bb42609b67f5db0857a7c5114eed82c62de0f945870e28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
08ae9e40475d2df6f7a034c4816a7237

SHA1
3e495734b795eb5d5d8f24a034fbd455f1dd2ee6

SHA256
892f50360eba490a0d11409ae972a3a0945b9546eb2dc89817202b3c8f3bbe7c

SHA512
ac20db0425a7cfb90b5a807d4b65eddbad4f9fafdf0d8fae572cebdc330d2342fd5d500cc94b8f46c3adf50829ad4d912833e9e78e0cdf8516b47e19174b7ff2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1a4fd0841eb189769a5881b499522438

SHA1
33258c2b3df668149df208dd65e49bcf7309d8c6

SHA256
be99c19f5b8d35513477fef473565f9db841a620fb717269d0b5a03291d7f91e

SHA512
08677e90182b666a700af12987fa1391b94ee3bf9b093863aa1245d9a75810b367226ca6e69f67f8ee94808d823f2ddf50ead141d224e16fae57deaaa821a19f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fd734d66a0f573fa6dd928afb66d3675

SHA1
64126eb14428f4c410ed66d78537a414a17d5a4d

SHA256
2affc04bbe509dbea275ec7af8635430f9c701727a21df0ef80a8f7c1b6875be

SHA512
ce5985a90e9ae4fd9bdafb57c62fc4034932092adde6b586562b1aeae9ebd517493f15c1a3c2a521f8867cf30dc68cac586180b34ecb93613f3e8e19af966936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5bab850513bea23dec5f1da3b20c2376

SHA1
cda0bbc8577dcbe32eff33a19d372d4029ee308e

SHA256
3ef64bfa4fa5b6f3a173b324ed75aedb1d75aaf62a752c9674c20150db6e5a23

SHA512
fecfe012866175871121d2f32f1d7e77864534cfaaf9c8305a83bb5155e954c449f5c8daed08e12e3c3499e7c802cea9f98be4574f67131ae6e6b226f7ca9be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9cb12a668e57cfaab4d2fae30916c269

SHA1
8596b730d49d9205dece899e365a868256c26e72

SHA256
78d08b71368004f57673c0b47ca13e892a98eee75db358d168d93298fa42303d

SHA512
cedf331dde07ffde6eaff239fe6cafbbd09804648b39c7347e31eaf4fbf421c0c43914a7ec3e73cea6506673201ad7770fa25148f7c27917208e183edcc9c762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e2eb895d96fe877793b6de31324aad16

SHA1
20dcbbb02996cc14cdb6ba5008ce574c38ac0f79

SHA256
01d19773d446db9278d3d6d00c0311f37ded655744ce34697ca51d218c90501a

SHA512
78f568b2cf4ce8febb8cabc1d00c9d1dfff044fff0cc2c4536ed81cfa57ad06fa11714a8b4ae985257cd5e77a622a259779f60a605b59a4667339d568c5fdea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar423.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA1B.tmp

Filesize
28KB

MD5
86e9764fc5ea59761823275e84946204

SHA1
74d2412c68d8f2abcc260afffc904c4e1d110f7c

SHA256
78ee6940a2549b3822a17146b02b4bccf1b5fcc29d68c0bf8f4f268f21dda632

SHA512
641bf221918f91396a477735ed577985bef09126409883b452855cbc272207c7c16da7781b76f0902e09bf926b65cc5aa632325a32042db929e7cdf99ecdfb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5790de82a8eb635bece2b0ec0025c784

SHA1
3fec65489632df9280736f44bc58057773773031

SHA256
d3c01160d67514e1bc57d8cfd7803d05f0eef41b739d4eb58996735371ad9aed

SHA512
23b08fa62b13ff8426e0aa575799dfe179cf8249cb0edd9814d7bd5b3544265d52f10c2c81c43524c8394b863c6da9e694473214cde3d40d7d7c33a2ea2dd829

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5945c40ccedcc7d0435cc98e5ce025dd

SHA1
c59cdf05a790003f64c307e7e0c506abe9fbfdd4

SHA256
dccafc0ccd8ae085eac828374f33377515bd4dfccaf349dc2d7aa172b03d1417

SHA512
5c57fe8288ba9c579fd5cf72b31a047e7a8bb2d43c99e4abb17c3c0d297217db8bfae6fc3ab2c9548fbd92aa347d04d7d72816034a144a13c3ef3ebff9592854

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7f6ff034ce33d4bcdfecd574e8e48a5b

SHA1
4041e57138107aff2a1ab4edc6ebec00b1a0c1fb

SHA256
7b3e63d6c2284b05094f44a0c47cfebad869ccfe53d31df04bf8745159df21e0

SHA512
4df66d6d7dba5013d8b3131e5ba9311e6127ef932798dfa509a165dc4aa294a9c96b7388bf929a983dfe90cda7861ea73f6f20b566ca2f634e575b7864250f94

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2132-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-581-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-570-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-576-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-574-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-17-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2696-569-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2696-573-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2696-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2696-575-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2696-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2696-580-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2696-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads