33d0d3e83bffb46142672db6f84c50ae5c622de1b8199f35eba0551aaeee4061

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ace9951ba47f39ae09bdd25c6f638fa.exe
Size

40KB
MD5

3ace9951ba47f39ae09bdd25c6f638fa
SHA1

1e1ea79f4ba21c5833db2bc1f4d0c3a4283f22bf
SHA256

33d0d3e83bffb46142672db6f84c50ae5c622de1b8199f35eba0551aaeee4061
SHA512

19d73651e72e980c36814ad376b9c2f4a40b283333c840ec5747b726ed9775ec1506d9522fbd0c00b358bd26acf844442f07c8230707f50397cb8e15fcdc9617
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH+P:aqk/Zdic/qjh8w19JDH+P

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4736	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231f0-4.dat	upx
behavioral2/memory/4736-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-205-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-286-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-290-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-291-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-378-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-437-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-448-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-455-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3ace9951ba47f39ae09bdd25c6f638fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3ace9951ba47f39ae09bdd25c6f638fa.exe
File opened for modification	C:\Windows\java.exe	3ace9951ba47f39ae09bdd25c6f638fa.exe
File created	C:\Windows\java.exe	3ace9951ba47f39ae09bdd25c6f638fa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4736	4724	3ace9951ba47f39ae09bdd25c6f638fa.exe	87
PID 4724 wrote to memory of 4736	4724	3ace9951ba47f39ae09bdd25c6f638fa.exe	87
PID 4724 wrote to memory of 4736	4724	3ace9951ba47f39ae09bdd25c6f638fa.exe	87

C:\Users\Admin\AppData\Local\Temp\3ace9951ba47f39ae09bdd25c6f638fa.exe
"C:\Users\Admin\AppData\Local\Temp\3ace9951ba47f39ae09bdd25c6f638fa.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\S9FYSRHD.htm

Filesize
132KB

MD5
951e393aa18d55f2c1924134413bfe0a

SHA1
9666820bc76696c8b30cc36748545e00a220fea7

SHA256
c36741386b6de931a88a8dfcaf4ea415534025fce36aedab5af49804826c99f0

SHA512
3eecbde0ed086f0ef9ce7b5c5bb4c667387b5ecd1d11fdeb262eb90968165fb0278606ff1eb612a947522eb79fc081f32903272b7e4b7e6ebd41ce89daee7165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\search[1].htm

Filesize
186KB

MD5
c43c8e654a73d7cb0972eb0922e66654

SHA1
9c0526bceafcc6b5090bd58ee33b1a65be1f8c94

SHA256
e475577f7a5bc5aa0fd046fd3f27939e0c4fa28e80c4e6da0454acd5253c604c

SHA512
4874733e2c06970265087bf77758ce957b9e43255ca2272e03f3740a79ee786fd8917b1b43cbb2a9ec36b0b5f38d835db19e71955ee9af9b087f2c1a94e7f6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\search[8].htm

Filesize
170KB

MD5
c0caab364a44c55c00ff306834527a57

SHA1
967057cb6d7eb117c5ad2589708ca028519e41fb

SHA256
30285d7d5d8c92cf0cf918695d0ed87e5483d9b79a491a354d02a5469b1486a8

SHA512
889cdcdbda8d5cb3161a4dc316d3e4592b2da79cdc1c0a62c9e725450a2a24a9ceacaa7511a0059cd9778d2b94f041e0d635f3e79a6ecd035169471ef89b9545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\75WYW118.htm

Filesize
20KB

MD5
89d46099c645fce526d2da691bc0b6b3

SHA1
1b03f404123a669104291fa8c588473c2bac3b38

SHA256
0b4fe023f10d17bcd31e9a9e3a227d5249bac27d2ab9a9e642f85e5e05ee40ca

SHA512
2c51bfdc82c2460f53eaeedba530d98b8db9c0fbdaf39f1da791ed328b4b16f52b3d7081a89f54c8688cc56becf556b0aa72ed7a55aa60f177d5f7861e7a5baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R977VUU4\results[2].htm

Filesize
1KB

MD5
1f54bb772898601864114ea6f0b12b25

SHA1
6e7988e843cc302509d64e192d18c83b2c7dec3a

SHA256
31c4da7079c2bd7ca47ff1c5088456fefa48f6ab5a5836950d4b255b4b5e0d0b

SHA512
f05085ba7521d70f35eda262962a3b11ed0d76edec90d3c8eeda27f99a947ef519df5191d964c2e1b9fee1db606ae0dd9d7cbbf924aa50d2e872556127479b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3803.tmp

Filesize
40KB

MD5
72cad41406730acb486fad380a48d75a

SHA1
478614b98f5497127d1198b9c5b05a5fcb83069c

SHA256
15af7211ed4421a03fbbaad7db3eba859fe6b2fb17fd74424e8af137fc16ab49

SHA512
029ad03d553529a2feee62e1892aabb2022175a3e3d0f85716cc89dd30b512c162e481e3d5571aeb8106400f3b741fef05c0755775992f2711055491ba72b942

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4ywfuljt.log

Filesize
1KB

MD5
1a1b5e7f91ae03d0b3afa1b16211d3ba

SHA1
b7323ca540b3f51e87f20e46fb713570c03753bb

SHA256
94b3879a9d6da764ac00eaf73e01fe863b5ee024b7aab46323e5070c6df87107

SHA512
cea666a0f926fa151029b3f32bcc106862bba3372c89856217fdf705c83a21b41bb447226791bd400429bfd46fb4f7afcea6804661d4a77f2a44a23b0913b457

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
746a19a9fbcb7c913216817b8a1d45bf

SHA1
626dc38af972f597ba86964f43bfabfdb798fe55

SHA256
0de6870f17e4b7af8968ed97ef25b84fd30ad328031cd05bfb0774f0131d798b

SHA512
c3203dc0fa7c0678a1d86e24f58ca1668b3a1dafe5380a0cf9cc88c026b1f115a721b97cb794c5b5e47ac32268b92b074f4bc65dbf3997a021f1f9b9a2a7f53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
dac431fe3fd422d20afaaca584ae2744

SHA1
32fd2396b6a97581f038a7b0bb16f6fb5abd383d

SHA256
679c735de5bb42a20163373fb322ff2115052f3bec6ff0af8879f3bf90ff700f

SHA512
69b1c1ff0c98537ac5372c1f32c16e0868b32f28103c9ff8bdd73db03b3dd7bf42492c6976cb62092a53d271f90ddc22e21b1fbf7965f6053c0cd50db72441c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d99f0e0bc0a1d5a863a88f7552377fd8

SHA1
49177a2e8977a10da46a0a5c0eed15350fd5304b

SHA256
7ae33bb7012d713e11160758ddacfc29155e71ac929ab3a7bd52a5d6cc90e4a7

SHA512
92d855c7af86f17fabe37a68710751c9a2290f4fc80379482b9aaf77ce59ed88c2dbcef3abb3f15c42cb5b3b6436ed30af5e21789b3775d64d3b4ead7a26a34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0d08c3e1caea57db266fd5500f2d8387

SHA1
34b3614d103e8b3bc2e775957e7dfb41e4e408ee

SHA256
39e3530f6d1b140897329fef3d6d980998f8de0a5dc4314993762d75f684af86

SHA512
97584ac8934733a70640cc5024820c4a01f1356de5f159e9b2ed4c0a581eb46ccddcf6383d257c7b6781152e0f1d134d0d5d60349ec4e1fce049448711e0f1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
184a0f9c0ff6474dfe3de5ca082f789f

SHA1
02e0e080368882a8f750524efa037149dd4befb9

SHA256
6da373b844c06a25b8848e02230dd6f097a0873003f036caf5d308a6e2afb675

SHA512
f218d03d500622b617590bb7632a55f5dacc06f72d125622c5c7a78284d368c5da39a7ff09caa8264db6fc80eca7152a324b7d668f276e1c8e4cd385f874beca

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4724-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4736-290-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-286-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-291-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-205-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-378-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-437-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-448-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-455-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads