3fdcccb712af360ddc0a56ef7038848a6f1197c2008ddae5226ab1bc488d61e8

Analysis

max time kernel
152s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe
Size

3.5MB
MD5

579dff5b20e6518b1e080ea0aa61b349
SHA1

df28b883b1a9675f439d69458c9dc7300e7105d6
SHA256

01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019
SHA512

31e406c9279b41d72ee37a52ef9c4ec7f675afc2359b6e4e5f6f0adc01ee3707d83a4c593a02fa2c904e35f65ce6f8eb2656eb03262f83e713725bde2156afb0
SSDEEP

49152:c4LE4b+HqDwGU5eYAld0Ogtqxs3iFRjXc0hX50ATeGZk973FB8Vzd4B4eDTRoonV:D44M/V5b+dgthyvjXcCpluQBRMBV

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
220	plink.exe
4472	plink.exe
4340	plink.exe
1620	plink.exe
4244	plink.exe
1720	plink.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4300-0-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-9-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-10-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-15-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-16-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-20-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-21-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-24-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-26-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-28-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-31-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-32-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-36-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-37-0x0000000000800000-0x000000000171E000-memory.dmp	upx
behavioral2/memory/4300-41-0x0000000000800000-0x000000000171E000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe
4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 220	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	62
PID 4300 wrote to memory of 220	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	62
PID 4300 wrote to memory of 220	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	62
PID 4300 wrote to memory of 4472	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	100
PID 4300 wrote to memory of 4472	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	100
PID 4300 wrote to memory of 4472	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	100
PID 4300 wrote to memory of 4340	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	104
PID 4300 wrote to memory of 4340	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	104
PID 4300 wrote to memory of 4340	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	104
PID 4300 wrote to memory of 1620	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	108
PID 4300 wrote to memory of 1620	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	108
PID 4300 wrote to memory of 1620	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	108
PID 4300 wrote to memory of 4244	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	110
PID 4300 wrote to memory of 4244	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	110
PID 4300 wrote to memory of 4244	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	110
PID 4300 wrote to memory of 1720	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	113
PID 4300 wrote to memory of 1720	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	113
PID 4300 wrote to memory of 1720	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	113
PID 4300 wrote to memory of 4992	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	115
PID 4300 wrote to memory of 4992	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	115
PID 4300 wrote to memory of 4992	4300	01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe	115

C:\Users\Admin\AppData\Local\Temp\01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe
"C:\Users\Admin\AppData\Local\Temp\01269ee1d4deac64329a2e77573ce1eba40024162a922a7331f1785484bf1019.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test70EDEEB39D3239E9D658B3BFD9465DD0; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test1509ABEC1632418D76DC71AA62F1AAF5; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test956476DC2D0F4EBAB796B612DCA2D819; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestF474E2100FCD94555D92F80F1CD47B8B; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestC6E041078FCF7A99E2FDA87DC2DF6F98; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test79AA69F1AD61787D0B1CC98A753FD894; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test859DB2408EF7F5DB1015B154FFC5ABDE; sleep 53; done;
  2⤵
  PID:4992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
6d755f5c0b4c316095034da7b0388c7f

SHA1
7f922c18297e52ea7cec892eee018233d047e5c1

SHA256
ad6b7be99f76d70d88a1587338eb2c61d340fa58268af69eef5e244cff8bba8a

SHA512
067c42e28084f5ddd62a9fc39eec40991aaa100846f7e67b1a69d557762830dae12d75c5fe0a9e29293f5a3393b5529acf659b382a8568c1f10f37f2ff0a0edf

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
c714c6b14823341bcf7759a11c5bc83c

SHA1
92ad9e2f98a020a57e05ae387256d83b5722b9c1

SHA256
11aedcd16ae67388f1d6ad8b32ecdfb5f5ef25caf3841deb94156c32d11403f0

SHA512
4dd2e1adda2cea4e7e59243f61fa793ade8ba1c3e18138a81a6f92d29308da7153865327a2f1c5da833da60a0e3168312ac2e877baeb6a02d16eeda72894d1f1

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
c2485400e7496ca676b55bcc20daae7f

SHA1
a92c87acbac49aadce67ea86ff25752214c6f2fd

SHA256
e815481c3d98066da483ec4df27eb5640846b642d3f89011bf179e10d0c92cd3

SHA512
719c03fb67af1e816e8e17847ae0316255feeb0e76d98fe340e8485cf75496d3cf79505a90eef0f2c28d2496612382a33d55b81d5d4a5899c674243d4d6b79f4

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
36ef3d02a85bde1d58d082d7d1d7fad1

SHA1
f4581344aebe0cdb04fc2f9daa482b79e26c021b

SHA256
8e2b9bcea9c7aa7c129b10f3904e84d0dd7c543b86dc55eb88615ee9aed78e08

SHA512
9f1f579e90ec8fd1cfb2263734b7ca3b1347c27be7e8d2ca425393b67b54c6adbe94b896dda8baf89d199b390bc93b0c3670bdec5cf1f4f0063f7a9ee2ac4557

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
1bbd28d71b6a35c1e4b85c40923d9a9f

SHA1
32bf9a80c6fc7ff3cda35fa76959fed733539609

SHA256
8638990d6f8d0fb87a48536f6261bca95dcf72aca362d2ce8a15bc679f28b4c4

SHA512
eb74ad312e0373bcd0cf9d97dcb6daa27a44a6dbccd62a9d38c26efbe9c69de4909fc0d7f37af91f782a093b77385ab5b632e15866ea29b08f60c18226671afe

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
4541c396fb7891e2aea5839af3b77ac3

SHA1
d8b8dc0c85554dcd7d79c630e7c48648a38287fb

SHA256
ee1c10590f1c8df1e79f96f5a9f6cc638f6a59b2307b13a1327534e7497c4271

SHA512
853838f78adaee248cc3c779fcbfb4659b7b413e8ed58ad82290966d87181de85cd426eec7b9724332d94ab8096ea098ef0f0058cae82ed5a97f4b583c9c70ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
17KB

MD5
26e230c704c729d0509473f1f80c3f35

SHA1
8f52279f2322a1795d8db315217eeb7543d2aeb5

SHA256
554c28626dad21e215192c485b36f21e1b3ecb211d413e59bc26e95941a65e65

SHA512
ac93bb0f5a0132858c8f109100358eb0785392cb9afdaac1c79cb836902b05a7329f7262b9132d2ca8e88a8d99682fcfbdaf2fa8eccc48d83d9f97d3291e090e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
36KB

MD5
475b215c21ccea931c9581dc05cdde22

SHA1
3eff743c100d2a4337004c6fc5bc4b5155af69b0

SHA256
4278826ac60b1bc71c7ee6c98ca7cc3abf2d80ab35a494d7e9eea6fcea68963a

SHA512
6bd50478b56499ba1f8ff0fce0e0067d765a08fd8733044d11bc99399f01eb5fbdb55afaf6fe1e3b26fb152f07273d541c8f9eae3147fffdd94271ddd9fb9b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
48KB

MD5
0453b61db36681a9ec272fe74988e78b

SHA1
f7a80fca91d654c2ef5aba9fc02f13d11bd22e87

SHA256
66026c20fcb58ab4a89420b41434875cb3c1d004e7a02380bdc5ad53d24514c2

SHA512
2be00969b8d33c11161b4a4ce87eef2c6dc48a656d974e0fa536f96f9c753ffdfb232f18e86bf5a0cc9ff97b54a55d1c6a8e9da890112f585290864babb078e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
15KB

MD5
aa1a23d63b818079551957541f9de9ce

SHA1
fd0dc9f206ed799009e1543f20fd1fb5d026e4c6

SHA256
ab3347631138f5f3e473b1c7fcc949403c7d4bf64d0122cb9388e831a3c156d9

SHA512
28b78c005b6318e7a6710792be52196dbcb6a099ed758294e712d2aa090969509665629d056e43953c1fbf61fc2d13ce1736a3a2c80c16541e820d0d3c2b3346

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
14KB

MD5
eba4328801e0e7845e2b47f7f80c3a3f

SHA1
b0548d786eeac37d9ca410acd7075d33e29cd638

SHA256
36599541c42937685fe9bc18f3e9c044df49dfa9c2d72aa6f88920565f8f1c04

SHA512
44091eaf873efc58b77c7f3f94fb4a947b2c44d43960b968789179447491f5555dfd64b6d3fae8bbffa3c0ac78e9682e75ef08cfc07788c62a47655e16fe9f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
68KB

MD5
c3ffc3eb2341aad54930805bca399498

SHA1
0606bee5a476590300e57f9739b0e14069806bb7

SHA256
dec852eefb78a91b331226a939f69f5aabe02b4049cfdf555963679f6cc0d306

SHA512
c48ed0b6b25222d5284c6262aa86684b2e1f207222bae634c2718f2dbfab48bbcb6ae09a1ba6d6097bb20dc7c2eacf9c00df100df63a5e5f44a65ee1fde4c9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
1KB

MD5
cae20a27294d1e0a799b2bed7f2a35bf

SHA1
0c2fd2662d350665a8b736b5ffee215e0bc88c3d

SHA256
63a225225c6fd6cae47ffcea79621ffd8ce1744f2dd77ab24e829fb74b3efc75

SHA512
60e9e88a11ee04fa2009907324a545b7038814c49b77cbb0c11660892d844a7be5c15ff82c2fed28b9d9294d4c67a5710157571caefe89b7532e4ee6c227ae07

Download Submit
memory/4300-1-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/4300-31-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-20-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-9-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-24-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-26-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-16-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-28-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-0-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-21-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-32-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-15-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-36-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-37-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-14-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/4300-10-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download
memory/4300-41-0x0000000000800000-0x000000000171E000-memory.dmp

Filesize
15.1MB

Download