f75547146f5ba78088147454ca07256851c31a0c1b50c894f2fe9acba745cff7

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb172353a54e2877958a81e01fb56120.exe
Size

29KB
MD5

cb172353a54e2877958a81e01fb56120
SHA1

d00ecf6bd9054a48f55bb057b407df54c476a69f
SHA256

f75547146f5ba78088147454ca07256851c31a0c1b50c894f2fe9acba745cff7
SHA512

e53f10762d3cad9489288b8785a93c90bf897e43ab3c8b6b7293689349bde86c01fd8e71f4cbc080d3a6205ca6cfefbbe311d0c600e8753951ffa5bd41fb01d5
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/S:AEwVs+0jNDY1qi/qa

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000022bf2-4.dat	upx
behavioral2/files/0x0009000000022bf2-5.dat	upx
behavioral2/memory/2476-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000022ce8-46.dat	upx
behavioral2/memory/4820-103-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-117-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-144-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-208-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-216-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-246-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-259-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-290-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-301-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-330-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-345-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-372-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-382-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4820-438-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2476-450-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	cb172353a54e2877958a81e01fb56120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	cb172353a54e2877958a81e01fb56120.exe
File opened for modification	C:\Windows\java.exe	cb172353a54e2877958a81e01fb56120.exe
File created	C:\Windows\java.exe	cb172353a54e2877958a81e01fb56120.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2476	4820	cb172353a54e2877958a81e01fb56120.exe	88
PID 4820 wrote to memory of 2476	4820	cb172353a54e2877958a81e01fb56120.exe	88
PID 4820 wrote to memory of 2476	4820	cb172353a54e2877958a81e01fb56120.exe	88

C:\Users\Admin\AppData\Local\Temp\cb172353a54e2877958a81e01fb56120.exe
"C:\Users\Admin\AppData\Local\Temp\cb172353a54e2877958a81e01fb56120.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\default[1].htm

Filesize
304B

MD5
8251fff4df202c8d6dd6aaf34f4838ea

SHA1
fa88f08dfdeaff6b86873d447fd26cb7d83a694d

SHA256
a17db628f6bdbf4cdc6fe029542404867306406510dbbdb57a047a75ac294962

SHA512
e9c0fe2a920377777bdda16a8744cf80d15e1d1b3c94b704f8a4c4cf54d2529ede4aea8a2d6d38f4e3c4d02f602edfed659db6613ac7c374e5214a201f16a3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\default[3].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\default[6].htm

Filesize
303B

MD5
ab7421802af48230da4837d84ca54208

SHA1
ee1036ca523fe527c1e4ff585983f59720d07e3e

SHA256
87937d2d6d98641310a5ac9d849a483bd192318a197d352d5db7b074f926c944

SHA512
c690cd667ba4a7f339c74276cdf2400ba8ebaa348ca83e2cb1ef26413e41a0ab96d9b6e13e697b3472ece4be2c85d2591977679383c43f4f55a40ab06476736d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\default[2].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\default[6].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\defaultJ54EEG9X.htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\default[1].htm

Filesize
304B

MD5
57e90e4154b7cd9f1ef8a42a680d4eb6

SHA1
e9e1cdb76f921a0579fe13b55645c58bf2406144

SHA256
5f43170f230ecbe938dae2f5ab36fb2a0fae41195154fe8df32d6016f957fdf3

SHA512
9ce03985f48ab068de1de5d3cb8bd0e2b63280ad4eabc1280ab39d1d1b215291da6c1a7bb3f1b68b7e3ceb571a3cfc1de5b998e2a61100eda530e0e169bf0033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\default[3].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ39371N\search[2].htm

Filesize
204KB

MD5
8e95994f5465b5c6771248836bf29eef

SHA1
746458ca35669b85bba99f8f87c26e50c319d9ce

SHA256
ac45c05e73f58b1a138d6728284d936567cfc13db1ffc7463dbb87c26216561d

SHA512
8af09f5d4e8136ffbbf0721c5fc356aa3a0ad7fa9e09d5e58fdb0bcfa7157c0d10234f2292bc577c6d2216c01276dfa16e5dc1a3f98975a56a98f2c92f6db741

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD85C.tmp

Filesize
29KB

MD5
990a95e368206dbb307b061151d941db

SHA1
1d901509bfab1b3b971ddfeeb19a344b35e32a70

SHA256
112e7f811809c265705f86b2cd27c7a5df01b2a84fdc78e766e252865f55dda2

SHA512
5af353fb625d80fc3623399009163bdb21029d00c98e533bde4562d48250b314aadec24d250fe8d5f24a94746b7fca6436e4b1df1802521e6700ccbf192d1789

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8791d92eb284c7472e4f761d3606c275

SHA1
42fdd734d4383d5602191540c7806b72e3ec75d6

SHA256
2d5f7f83786167ff34cffec326c066aa42120567e1a724ed1e9691df9d3afdda

SHA512
c6d78d6503a37ef3819df234de66a9afe726dcc4b042f6201856725f2e06cf6a3556e016a835c38225c4ab9e4f2de56eab43e16e80eca1f710034ed59e925c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
66fa8a5efc4b6c0c76f7cec1b4ec9523

SHA1
9eff7ad7eb95e34c0f9e70a7a0676c77f1226309

SHA256
0e038236ab632b95e1c92e6b866c76c661b6a412bcae3f6c490e30dff747388c

SHA512
0c46b3275f6b6821568ffd04e41755a424c189cc583cb35c1b5ce1e34856abcaa3b752c67b55a49412c598c740fa05e4e2e4e7879d700e10fe348be38d4f801a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
b9d77e7654063ea1655d8abb1b33f6a9

SHA1
26ddf2569c10077e78a2bc4d68e0275ff582998f

SHA256
965a393fd7e33dff428a9dc1ed0965b9e78281a13bf9f0244c8433c165e07cfa

SHA512
aa25e105d135d08e0d5f1a0d169294c49111e6eda56062561f2f851536433cb0a513ba1807eb5ce48feb3f08de131b84ca9bdfce3b9d67bcca2513c20e2daa18

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2476-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-450-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-259-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-382-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-345-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-301-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4820-330-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-144-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-372-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-290-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-246-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-438-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-208-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4820-103-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads