9eb9b2f49b8a9a465f3795aaaacc499776f7563b3d19cb316b6fc5f6b953c45e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f57822e307136f25cd37727b1905dce.exe
Size

40KB
MD5

1f57822e307136f25cd37727b1905dce
SHA1

ee56a93f505e33c61705c5ac8bf5726d69d29b48
SHA256

9eb9b2f49b8a9a465f3795aaaacc499776f7563b3d19cb316b6fc5f6b953c45e
SHA512

d6683656f5233333e16ccb466fc58b16d0b844000f384951ee522fc55897ff9fdd1382b0b4845c606a3eca8b73edd3c633074710eba2b5a54f560abb7965c118
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHsm:aqk/Zdic/qjh8w19JDH3

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2712	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000231f7-7.dat	upx
behavioral2/memory/2712-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-132-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-144-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-188-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-214-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-243-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2712-274-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1f57822e307136f25cd37727b1905dce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	1f57822e307136f25cd37727b1905dce.exe
File opened for modification	C:\Windows\java.exe	1f57822e307136f25cd37727b1905dce.exe
File created	C:\Windows\java.exe	1f57822e307136f25cd37727b1905dce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2712	5052	1f57822e307136f25cd37727b1905dce.exe	88
PID 5052 wrote to memory of 2712	5052	1f57822e307136f25cd37727b1905dce.exe	88
PID 5052 wrote to memory of 2712	5052	1f57822e307136f25cd37727b1905dce.exe	88

C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce.exe
"C:\Users\Admin\AppData\Local\Temp\1f57822e307136f25cd37727b1905dce.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\default[2].htm

Filesize
311B

MD5
cb42662caffe525e9957c942617edf06

SHA1
615009db9a1a242579e639ee0fc7a2a765095bfe

SHA256
312bf5c9a1a122abc6361bf8ed01a44346285b962c0d273ef2de0eb796ae1b15

SHA512
3e6777f1f74f64fff6cb2bd1a81a6c08d9a64feeebc3deb7cacb8f0f41b23a5c59a8e6294b99c76dd386aaaf9043a1a252ac47910fe1801bdc2995f7b675692c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\default[4].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\default[5].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\default[6].htm

Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp296E.tmp

Filesize
40KB

MD5
2547c377bb6e65d10472e2af643dcc2a

SHA1
329c264c80cba5aab09f5ec2c023f40dff865ec6

SHA256
f78fb41bcf48542d35ba8c2cd315bba55264d6282895138ac89b7b5466019e08

SHA512
c40bf345fdc6a18b5d443674d4e759f5d50a8f2846c41ec3bf8507b2ca9470bd48fd3a0d1d1406f86664b92eb73bc04305e10e9e4e769895594d935c839849bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b39307f353eb0f669db8ec4ea6dbc628

SHA1
bd723a40e13a8c602522df296cb3073c5e07b42e

SHA256
30fdbaa2092b4aa279cdb1a76e6dab0453992b7668a7e8ae74a895430a6ad794

SHA512
417a68d818d48ed80f93962f34ca8b6a4973a47b3cc3651955a7724d6dd008cff453638a6ce9242e96325ba7ef49fc5c5159b0c3ae333015f431fa225ec8ca06

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
59357979291ce2a9fee5c233bbca0800

SHA1
b25e21890bf0cf58b04c3d9473297d87cd892f6d

SHA256
12fa02b2d107bc159c70f9ab47a292db4be21536415d65e5963ca8ee66b0d1b8

SHA512
5a41435f0098271ecebe6d7b5e5d8137c62cb8535ab001e36840f66df1cab105409b85b96895ea543dfa6de98b0f2c28f3878242e38d827b1faae71419ec3ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
fd88a0885b8eab8ea60ed9b9b607f51c

SHA1
d3a81609299d691f73d02e34cafde0e48be5d36d

SHA256
8d2312e53a573a51f3ccaa134e6bf055c3cd27a054435fffbb3a4d35b3e4f822

SHA512
23ef7e6adb76536e63e80435a23b6d216c3de38cbdab1303194537f71fea703afaf7c6b669af711ecdffd63e3f6bece20aad59612ee0cfa5453fa05ef1afb23b

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2712-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-144-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-274-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-214-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-243-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2712-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5052-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads