bb8cfd822e4a1b2077bc0adf2f0b53dab34a10d1fd644b05fddec8f834bab1a0

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe
Size

2.3MB
MD5

d934a8804e5562496a98c90269c2a5c0
SHA1

de6940c040ab4f042cb85ed2f16b2d9eadab354c
SHA256

2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838
SHA512

19e7c9f72384a2b3bae1ed0dc39ddc8fd563441dd2fc622aa057c506cdd1d283195bca379fe330f9bd071fd306333fd0efd9e75d10eb7c4087d0d34cf111d72f
SSDEEP

49152:q1MabMP48ut44jiorFUYXLN+/4NlU1LeQzdVfMLJD9uc:Oeg8i4BohXLN+/+wPZql

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
3800	plink.exe
5072	plink.exe
3120	plink.exe
4236	plink.exe
5072	plink.exe
4840	plink.exe
2136	plink.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-0-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-9-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-10-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-12-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-16-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-17-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-21-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-22-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-26-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-27-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-31-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-32-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-36-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-37-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-41-0x0000000000800000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4900-42-0x0000000000800000-0x000000000121E000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe
4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3800	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	86
PID 4900 wrote to memory of 3800	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	86
PID 4900 wrote to memory of 3800	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	86
PID 4900 wrote to memory of 5072	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	96
PID 4900 wrote to memory of 5072	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	96
PID 4900 wrote to memory of 5072	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	96
PID 4900 wrote to memory of 3120	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	102
PID 4900 wrote to memory of 3120	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	102
PID 4900 wrote to memory of 3120	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	102
PID 4900 wrote to memory of 4236	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	110
PID 4900 wrote to memory of 4236	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	110
PID 4900 wrote to memory of 4236	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	110
PID 4900 wrote to memory of 5072	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	113
PID 4900 wrote to memory of 5072	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	113
PID 4900 wrote to memory of 5072	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	113
PID 4900 wrote to memory of 4840	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	115
PID 4900 wrote to memory of 4840	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	115
PID 4900 wrote to memory of 4840	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	115
PID 4900 wrote to memory of 2136	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	117
PID 4900 wrote to memory of 2136	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	117
PID 4900 wrote to memory of 2136	4900	2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe	117

C:\Users\Admin\AppData\Local\Temp\2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe
"C:\Users\Admin\AppData\Local\Temp\2dbf8934655b5bd43b6acfb63ae831154ba7726ce34ea72cb52710b347888838.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test560B7A5A405599B6717F72927E39B599; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test68EA551A2D8CEA44C83F181CC6FEFAD3; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestEB9AF6C3AD63EC9B12CDE0890F91029E; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test5CDEC1148A7CBB614D0AB798DEF33D16; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test2818B23010F44FCD21BF1807880768DD; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test3A49BF6C6C778CE4F87700920508B863; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test7367C3FC74F9985EF4FAF349ED215E6D; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:2136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
a0ad91025fa6c02244a56c98337569f6

SHA1
e5fd2d87d3b81b0de4c55a3afe5a9003ccdcb35f

SHA256
38fe2d5e70dfc6c0b141fdd561dae5f32b24dd8e5b35b4f4c64a222935234b4c

SHA512
fdd958b7d56144f56bcdac65f9ad4d29e8c1a43d547db00c7b0b39142e833187626cc9f75584de3b412d2eea18ab63ea385af8c0f235448f899fc42a702025ae

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
c4676bf129d0fc6481c8af67316af231

SHA1
dcd80638d5b8dd3eb725ef5f96210dea6f074cd7

SHA256
4faafaa6904a6a1117a22007e041233d9b77722afdba6be3a7237bb698e673a0

SHA512
07b03b7006e24b3d11f0d9eaa0c77b0a35f8fc74813dfd58139fa5273641f1cf1b0f6c7cd4a103b0267aa15a0d5e1ea765d362ca73501116129e015c8e717898

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
4fa47ce6c83502efa9e0a50410bf6209

SHA1
5707e8fda18a282095d8779999d99ae8522054a7

SHA256
df5bbbe1c04126f82a5115722f62e06e484deb32a338e97c0414402b30c144ef

SHA512
66fe5ffec1a6369e009765dc911ec129c0e71976519a1a5c123659a229f59e160db508198dec54e91f3d651d1eed8580046aae907a974fa13cebbc1b3867da4a

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
87fbe665c5b1ddc61abc418a8fdb822b

SHA1
4dc5d17ffa0f50555512dad1767ddbd91eeb8898

SHA256
a4df33a1d3973717d1975dcc9418d8f25ae5beb6b4ba1109f6f8c7167322b5b1

SHA512
ee7d419e4219ab2ae06d0d029bc708a11b96e08db2b96066ba38bf3e7f8f5328686d7a80227a0dea12676c3806c10dc6b62933d0de6544104f37da77daead664

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
56e1c6c15b1cee7e502260cee7da26d8

SHA1
dadeb3dc239819eae2a448f58de187d821396281

SHA256
a19f64757b72637df1a292f33781af3ffb7ef4bdce3a5de2936f288d2bc15aa0

SHA512
5b29a6dab41e3bf8917c9b2197d4bdffc51f59b2bbff5ae3e649d93283af8d8a8d5b5d46a881730ebdc4c6c2871bc8eef2d6f9060e4a877090c471a7f02ffc7b

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
8e9b481cd616fd3b2e445d1707dfebae

SHA1
7c4847e25f62ee9196b9bc614276eb09f7b00b28

SHA256
57fddfd0b26e542ab4d91d53736d22915e0b3f2fdad880ceab3c256ea875f182

SHA512
ecf231ec29b4b749571e638a279b2daee751a4723ea89010b32d8f2852edf613b3257c26423841c1f43d93262470f2a3715b98073053656eeb305efce9933db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
328KB

MD5
b5450c8553def4996426ab46996b2e55

SHA1
5221c2ce846d9cbc8ab73142b51414f31544289f

SHA256
6ae32cd3b5a8a1dbb5464372ded370f31802fd1f5031795b43d662c64fc5b301

SHA512
d92780976ce323005466a6e6014ea1c6520342786bc006964ce325944638d79986e8637bdb2823c0e21b9dc24b0662fe57ffb3847780bba241e36afbdc6a929a

Download Submit
memory/4900-21-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-32-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-0-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-9-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-26-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-27-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-12-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-10-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-31-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-22-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-11-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4900-17-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-36-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-37-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-16-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-1-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4900-41-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download
memory/4900-42-0x0000000000800000-0x000000000121E000-memory.dmp

Filesize
10.1MB

Download