0ef0778f060781639b2645019908a24b9a6df0405524d43fe2c8184072f0f0b4

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ecec25029475575dd9f5e7ac6e5bc4.exe
Size

40KB
MD5

42ecec25029475575dd9f5e7ac6e5bc4
SHA1

33896db44a86e8568936fdb65f52f1492fe41370
SHA256

0ef0778f060781639b2645019908a24b9a6df0405524d43fe2c8184072f0f0b4
SHA512

a049240cbc99d695371ad518987f6d32a81ba81bc8ffa81f6383b11495d242b0b6d1f62abb4a78a6663742fb2bb1326b676f0a30ae7fa2a78728428eff99a068
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHkN:aqk/Zdic/qjh8w19JDHs

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023231-4.dat	upx
behavioral2/memory/1148-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-90-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-209-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-260-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-265-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-266-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-289-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-293-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-306-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1148-345-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	42ecec25029475575dd9f5e7ac6e5bc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	42ecec25029475575dd9f5e7ac6e5bc4.exe
File opened for modification	C:\Windows\java.exe	42ecec25029475575dd9f5e7ac6e5bc4.exe
File created	C:\Windows\java.exe	42ecec25029475575dd9f5e7ac6e5bc4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1148	2292	42ecec25029475575dd9f5e7ac6e5bc4.exe	88
PID 2292 wrote to memory of 1148	2292	42ecec25029475575dd9f5e7ac6e5bc4.exe	88
PID 2292 wrote to memory of 1148	2292	42ecec25029475575dd9f5e7ac6e5bc4.exe	88

C:\Users\Admin\AppData\Local\Temp\42ecec25029475575dd9f5e7ac6e5bc4.exe
"C:\Users\Admin\AppData\Local\Temp\42ecec25029475575dd9f5e7ac6e5bc4.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C34XGPV\0WT3RT3D.htm

Filesize
145KB

MD5
8fc68ce83d49e6e8df0637237371742d

SHA1
673e5584f0079780a49b90b1cdd25c4f4f12dd9b

SHA256
f553e379e38ba4bf752e1b21c5a49be2b203f2d8f4cf6e0ebb46a56e04d7a7ad

SHA512
8be0bc0f0285377ef6aace1b347e000f28affa002bafa9d6a56758b950520e28e6d52ed85c340dc9ef340228a9d6e6852338735e9e302a80d814efb2e4e2e49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9ALL181V\LGMI9YSH.htm

Filesize
145KB

MD5
b39946b7dda92281b8545467ed2aad4c

SHA1
c9a265d0b43b176f924015f8e181afb241b3388a

SHA256
e55fbf5fc0ff42ca656869743a737316839b190601676327aa253ecc5eb75ba6

SHA512
2f31699dc5e618339002346b53bfb12a5b9962919a8426a65dd72ee4569b0ec8e0a4b5d1923ce9a7f35a7afb0fe9c131a4885280e30bc822f97705454173d4ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9ALL181V\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZ64U2GI\results[4].htm

Filesize
1KB

MD5
e6707bb78b85bceeef2c92ef1499cdc0

SHA1
b4b13d165a0f80991faf65acf2a391715bfe42a7

SHA256
9bbf4ebbabe932e5d5fa73068e70e1264065d8515c0639542b40c0c53cb9a404

SHA512
ce7ab0962e12fdd404ce052f529025409530b66c14bb7db08dacff5a7e585e423004cb288fa9a90e77cb30f38d7d6b8eee8f3c252fbd21f5c7338dde5e01b489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q15AV1NQ\results[3].htm

Filesize
1KB

MD5
1f54bb772898601864114ea6f0b12b25

SHA1
6e7988e843cc302509d64e192d18c83b2c7dec3a

SHA256
31c4da7079c2bd7ca47ff1c5088456fefa48f6ab5a5836950d4b255b4b5e0d0b

SHA512
f05085ba7521d70f35eda262962a3b11ed0d76edec90d3c8eeda27f99a947ef519df5191d964c2e1b9fee1db606ae0dd9d7cbbf924aa50d2e872556127479b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp36BE.tmp

Filesize
40KB

MD5
a321bcd9a6499b294c8c92fb56b1fc16

SHA1
3dff05af8f932b584c89de6c3c6bfba43ed52a6f

SHA256
48674e169b68358985aef2e9048375b2badbbd11ca1fe700298694828cbaa52d

SHA512
4daf00d7741f6629ef0502adbb461e8c0f251c3eb46caffba5c88845b9b6cdf8c916e18046a2c3dfff1df4707a56c66aed5fcf65630b3bda474e91017b8d7e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4a51f5775b3ed4aec2a1571807967faf

SHA1
a1bd2b54fa8d454db49dc8af3c35d780eeab6027

SHA256
aede0d166f5647d748f1eee0f768a692a19e880cdf591654ce788f3c79abf96e

SHA512
a9deaf384d73079ad1cce53a20d840e2319cd06d4f3301a8438f366288986d76eeb6ac5ecde03780811545f6ec0c14da819af10963a67a5c6dfb92bca7951a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
79bf383dfe67919bcb73145ae5029ec1

SHA1
9a72ab9cda6fd2df13f03c929396f7f983c91875

SHA256
d804678c27a2386db2e2c3745a454b0bb7052028d822bbaee5f41e6a6990e83a

SHA512
489f35f3ae60a266002ac4a7b75026ffba658f000b0f60a9f913d0fe3fd97b0655829d40df79782d99767ec90902e98e84ff2df659a758019ac9c48d5a0fbea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7708c73ff87170da7a062b7604daf9ce

SHA1
7046f0dea0f5b26e27374c857675d75403025b22

SHA256
1e923c8c65f995178899da48586ef986f604902167257584658d08c6f987746e

SHA512
a8d9f36307ab94259ccdd5b043f9ea25be9ba43ea7cd4e3dc0b5a385f82cde9b5bd65271f73bf8850b41ebacd34838f48957bad248e962a02f922043673e74c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ed13b60ac628aa633133558437029dfa

SHA1
6d359472413041cfc330e973585ce23b565e9027

SHA256
422f947347aa27a75d5f19e9be4cdd5c2804d3eccfe3082ced49b1537b3c40d5

SHA512
27878391c98ca90c41e477a79c79d4a65c405b31923b3fed8139ea3e3c32c9504a937a0fcc07230cc45319ceb776c453267f0538baf809438881d2e540e0a1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6d41efc8e53e255c8fb0c1766369b4fa

SHA1
d67702855d43672044e773a5dcfb26189f52ebfe

SHA256
348d5fb2c459d83bfbec70a46b4c82f1a4d65eed21c101917b65175990c67248

SHA512
4e962a56c64fd6e3c109eaba869a72030c74ea41974aca8f080501d3beb8a17706868236ca1ee5db3bd53b852fcff80bd3b362b858fbe7a6793130f5f4156a50

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1148-260-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-266-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-265-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-345-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-289-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-293-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-306-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1148-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2292-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads