81b65f9fc2c705e3361e561ff1f3944a971e62e971773b9119f8b377bdbbab78

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3479a9d5a0d8b2d80885cbaf4b684431.exe
Size

40KB
MD5

3479a9d5a0d8b2d80885cbaf4b684431
SHA1

aa0bb802182a17f1f26f7de34902367a5d22ea23
SHA256

81b65f9fc2c705e3361e561ff1f3944a971e62e971773b9119f8b377bdbbab78
SHA512

33ad4744ec9298d8abc62c932bb89358e7b6647b2abf315c07cdf9cec6f2772d2234902b3f7e11ca6c6b6d38acaf25f931cc9701b4ee6afe2f9cf7a8ff82e65c
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH3:aqk/Zdic/qjh8w19JDH3

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3812	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3812-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e00000002317b-7.dat	upx
behavioral2/memory/3812-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-202-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-220-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-241-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-261-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-298-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-299-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3812-374-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3479a9d5a0d8b2d80885cbaf4b684431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	3479a9d5a0d8b2d80885cbaf4b684431.exe
File created	C:\Windows\java.exe	3479a9d5a0d8b2d80885cbaf4b684431.exe
File created	C:\Windows\services.exe	3479a9d5a0d8b2d80885cbaf4b684431.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 3812	932	3479a9d5a0d8b2d80885cbaf4b684431.exe	89
PID 932 wrote to memory of 3812	932	3479a9d5a0d8b2d80885cbaf4b684431.exe	89
PID 932 wrote to memory of 3812	932	3479a9d5a0d8b2d80885cbaf4b684431.exe	89

C:\Users\Admin\AppData\Local\Temp\3479a9d5a0d8b2d80885cbaf4b684431.exe
"C:\Users\Admin\AppData\Local\Temp\3479a9d5a0d8b2d80885cbaf4b684431.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0A013ETK\NN9IRTYT.htm

Filesize
145KB

MD5
266babeb05d720f6a870f87823b35b3f

SHA1
8af0d998df82e4c2b113aed643d953af80ba018a

SHA256
22a1d0a41e6ccf380ca9e5a501e637df301f66a248d7df6983835bf7d8cbad8b

SHA512
d837788f77227d6c78e1181f48b173a4412539fa241d1f608e98e55220ea6ab405cbf87883e5743f8f4a31f88f429edcc8c721dd23d5be5bcc67fb5f98e549e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ2SYU15\O45I6FEO.htm

Filesize
145KB

MD5
ed90d83d69f68c1b20f1685ce8516833

SHA1
342d07ec048b4158bb977caea417210ad88052f3

SHA256
3274303863007aa477680225892a718b8e062ca9c6e26e77f252f230e0a35f4e

SHA512
c07555dad544c60c3f522a774edc78201ef03f1cdd8dd2c319f2d3126c70ea17bb951ae7aa7041eab88e5ac49817eb45a641b417c5d52abe99680dcc627fbff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ2SYU15\search[3].htm

Filesize
186KB

MD5
0b80c6879748e52e2f947b639ab9b9c2

SHA1
3595da43bad20a148f5b7e41f875f22d35ea0ac1

SHA256
d0a04180eb746c7ed96223099a4a7d563b9a6b56daa217a25e055e244e2d187f

SHA512
0fb5191b517dc0d7d512e769a3874c0a41924fb8f3ce4ac373cafb9cb716732b6b565d6a67a557873f469a0024706d69cd648310ab6948028fa190fe035db213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QPBAQNGM\results[3].htm

Filesize
1KB

MD5
1f54bb772898601864114ea6f0b12b25

SHA1
6e7988e843cc302509d64e192d18c83b2c7dec3a

SHA256
31c4da7079c2bd7ca47ff1c5088456fefa48f6ab5a5836950d4b255b4b5e0d0b

SHA512
f05085ba7521d70f35eda262962a3b11ed0d76edec90d3c8eeda27f99a947ef519df5191d964c2e1b9fee1db606ae0dd9d7cbbf924aa50d2e872556127479b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QPBAQNGM\results[5].htm

Filesize
1KB

MD5
ba40e02ff3f96ec73e07944e9ebce24f

SHA1
a81c371f43a0dd6469a29d2e40e380911f03f86a

SHA256
2d9c5fc4bca56260981d7e9d94249f9d3befb58cb004b571b8bb8f441ba2c401

SHA512
4aa3a2a546243123e5e05cde9c7d0e209c4aba0ae87464f43b8d36a254a16b61cdbc40ae014f35d37631dc32239bc690f89cfcefe15cd221878f61f85ffbc42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QPBAQNGM\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5242.tmp

Filesize
40KB

MD5
3e9bd28cf3ce6eec294a00fc273426ce

SHA1
cafb6ee83081ec930ed090cc84b4ccea062451f5

SHA256
6e7733a6d9457f9b677a2353209f04a96afa069a89b338075ccf583933db00b0

SHA512
f943e872c1b7261d56086c0b478160a617499327c943c5701bdec02cfe57f3677ccc1f2048ca22eb8c3c22479a672b942195e52a31534f0cf6578e49ddefde18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
40cf6db3e3432def8c2eed08754694a9

SHA1
b27b0b8ed3aebde4e4b769753e98344014a8aa4a

SHA256
c5f23ede545410f6f43878663be943e4f3551dc35ed5334c54660d59d3b5f474

SHA512
064fb29c5fc95f6518945058b9f6c8a9d3275c4c4ccaa9d2ab06ad0a3affbacc50dcfdc31dc92bc63e8235fba63c6c7e97312e462cea08cc962e7e6299672a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
58bf1b0c0d429d0a5301e994e9444ef3

SHA1
f60194eeb8fa5ae94cc352be4ea6d922211cc9b4

SHA256
3a899033ff6727b957e9e3bf8faa2ef19e1423d4e68be26eb5ce451e492dbdb9

SHA512
3a1e37f33d806ea721de382af2ccbe93d6978b9ed7c6143618cda5d842224d1dce6e3075515da705951598c15ea9045b5284096557e1a797c92219183243e8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
faca20f5e59e3e67df99320c2f7031cc

SHA1
ab07de25d488f941a3248e9f918d48bd5777fb04

SHA256
f778e1d6a6fa16399ea01992ec5366dc694657ba76ca23a24a61162b1f2a48a5

SHA512
849b564cff40714d7c105f8f800ed1214b7657b8cfd4a656cac4dd1cc6458d3781f9c709c7a666b6c9547dc8ab73510090fca570c096a130b12537fe8446953e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
69b5165744c5d9457f9f59ef68488687

SHA1
4651362c414ae2875bc36637ec617c6396f6e10b

SHA256
f28d67de31d1e9418c0bf4f23cac5223189525d70e869459d9931ff65b550dac

SHA512
7e8396f917bfd0693bfe2eebe4c8cbd38e885b1d93e314e0982bb703115072516bfd61e610b597639164b34bb4aab5a5b89f5e217804feab913f09d0db73fe0d

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/932-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/3812-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-261-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-220-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-298-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-299-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3812-374-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads