226dae0dae72efe20eee8e8183fa3a11e0fa5c4f38b1ab06cf976161b29d8ca5

Analysis

max time kernel
167s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe
Size

3.5MB
MD5

3294588e1d808f8a6d15d347fb127621
SHA1

58e557ad5b1fadfda05f0f6893443a4e5acf1970
SHA256

6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac
SHA512

edf0d93ca1376d53f10df5599d5b530a3505d5ef1dc62af15ee6c23bf92d453ad8fe20e8fd7c11823e0a6e43d305ad6c32a11308fbc7e9ac09cacb37a0740b13
SSDEEP

98304:HrO4Ot1R2nUZh+pMh1RzRAaETtMlj+G+tD:QtL2nKh+qiScG+t

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1016	plink.exe
2940	plink.exe
2160	plink.exe
4448	plink.exe
2796	plink.exe
2060	plink.exe
4808	plink.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/608-0-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-9-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-10-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-11-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-16-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-17-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-21-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-22-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-26-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-27-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-31-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-32-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-33-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-37-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-38-0x0000000000800000-0x0000000001713000-memory.dmp	upx
behavioral2/memory/608-42-0x0000000000800000-0x0000000001713000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe
608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1016	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	92
PID 608 wrote to memory of 1016	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	92
PID 608 wrote to memory of 1016	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	92
PID 608 wrote to memory of 2940	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	103
PID 608 wrote to memory of 2940	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	103
PID 608 wrote to memory of 2940	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	103
PID 608 wrote to memory of 2160	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	107
PID 608 wrote to memory of 2160	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	107
PID 608 wrote to memory of 2160	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	107
PID 608 wrote to memory of 4448	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	109
PID 608 wrote to memory of 4448	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	109
PID 608 wrote to memory of 4448	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	109
PID 608 wrote to memory of 2796	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	112
PID 608 wrote to memory of 2796	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	112
PID 608 wrote to memory of 2796	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	112
PID 608 wrote to memory of 2060	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	114
PID 608 wrote to memory of 2060	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	114
PID 608 wrote to memory of 2060	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	114
PID 608 wrote to memory of 4808	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	116
PID 608 wrote to memory of 4808	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	116
PID 608 wrote to memory of 4808	608	6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe	116

C:\Users\Admin\AppData\Local\Temp\6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe
"C:\Users\Admin\AppData\Local\Temp\6e1806c27f6cf547af6aef078b2bbfdd9343a495bf3f5da4e92368ee86c004ac.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestEF3B52F463A516F5D7B01983F9502C33; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test27822F15756DBBAA9FE6CEA023779AE2; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestDCB590D75D80428CD3BC6360CA39280F; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test7173E5AF79058D567845ACAB56F157E6; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test2045EB098FA3304B7E68725B0D50AB11; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test5AD9F6A695DC3BBC2FA8C318EC095459; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test5C28E5CF0B25331E440BE05F4BF66038; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
4d630a930db3c12d2d2da8f76af3236e

SHA1
bd8e241a4021c97924e9a2cfbdddab8eb46f8f9e

SHA256
83606446322b5d5bc93003557cab1f87ff25d88ea6d82b2cc2a013ef5b27a568

SHA512
af8f4ba5b12d9a1981431783f9a1f00652748b165cc3c4fa6598b215005ef10b5ee09a57a34225024f4affaab069fff9df56ab83f49214cd9e82942c9cb8c62f

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
24f7b1b641aa8c7a1d5de7b762c17040

SHA1
f083a87e898c43ac8a4465771e24c3c62c8ca870

SHA256
e9526edccfbbb40863aca72ef93cf97f5771defb70ac4d235d3265cd7cd4c03d

SHA512
7f9bff1479653e5c5d418cbde114149e71295228aeede995eb20bafaa429dcc33f11335e1621a9f6b124742e54aff10987a8e7c111a58251c469ef64269a0c59

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
9c75cff5a265777d79e05d4fd3f7d81b

SHA1
a9a52d8454448cc01ab6bde8233212f7881203d6

SHA256
ede57b4e6abed13d38d9b0043aa691f9db4a1fc4881e45d9e4ae91ddd9084846

SHA512
0d69808185d9f729f494629e208248161ef553f45dfb1b88e4c079c6fea5cde88bf212056bc98597a0cbf5bf7554d3417e2359e43ebeb4e5f68fde7d94bfc4c7

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
29eed3a0382f482f52cd792dd9fadd51

SHA1
068532a35a69b42b8c7f5f73b4b4db3bbf7b0eac

SHA256
b2e91036190008c1894020e69d254dea8c80ed58d347057962d52a5fdccae8ea

SHA512
ca5044d9a62c508f34d57d429d8537f47e1549584067e1ed1038879c4acbcb107a0e38949c01308be52d44e543654cdc959bf13bc02cbc52abf8194916441035

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
fbc09cc7c6ba35cc0fc00a4460186041

SHA1
2cc3621a9bf509acda1a1f11415a529f790f256b

SHA256
0b7d40b5f8ccafaba1ce933ec1e1ffa0ba69774e6e17c41a76b19a3380dd2bca

SHA512
9d9979db840476c19724c69810359dbf6e52984480f5f62c0c9c52c25abfc8d00fe67af110eaa66472e1acec1e587543f2720812f674c3870d94dbf77b0d39d2

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
74b658af67832dcb0f0126bb51cab3da

SHA1
412f8a112b831912f63fc360cbc31afb5175cc7b

SHA256
1fe396ad9398fde0b2905507b6b51b2f5172ca85d22e4d5eb8e03b32833f406a

SHA512
9dd6b34111dbe02974964f94eeb9d850c24cc987308334525a77156057b1d86f5416b3280d2ee6e42cf701f8407e2026484989a64e707a15d5516ee825d3046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
38KB

MD5
b33759d4cffacc790b262310296ea18f

SHA1
8f87660b77665e0fe443421c10ce98388209eaa3

SHA256
12013755d134683eed24979a0ba2e6445ec04a2e0a17fac24941c61fede9a15d

SHA512
76f136cd339a21ae84162a180f1de315c16224ade9cced10af1c0b07f86e3d1d1a2b920d584979f49808277cefb47546f01e0c05d67f05dc1b56e04a1d716ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
56KB

MD5
ef363a791f29e091d748f034cacec8aa

SHA1
f49564bcfe8d30748e0f4bec38f1f18b1609f217

SHA256
6c0df75ca62e41a22420f3ad16eba34769fe3566a23a1add1e5cbc20e1399b1e

SHA512
00d4aca282fb874b776e269c72b75939643e57b3e8c86818229aff516d547ca0b66a7bbdb9a28e45ab83cd5d309f4187c211f0da902966f53ab7fea607d23600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
75KB

MD5
072829368701c12ebeb3128368885e33

SHA1
9d0fc5e349d41077048de26b39fec53f8d4ffc60

SHA256
85556aaab951b7bd791303052a830dc78524fcc24f40645e59954f085d3f5184

SHA512
c81c483bf6658035cbb6380f1d22d511978cb1a4597b856e626e32dc7587218db96afb0aac1fdd4077d501eb2b34261aab9f959912cb97a7af3257ad1f54c55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
6KB

MD5
06a3133d3c033e235ffafdba7d5879d0

SHA1
7fc7e27d9060aa432f577872ec4bc068b892a656

SHA256
7929756dad6ba4bc8b2284eb5f9c7870675f85b67f906cb30a185eaebf5594a1

SHA512
77109c31d5e4e66771d145355ba855edab00f5e6cab1bbb23ae5652f3eeabecaed009d5f9ac9b259ac06feb12e6c56f6939b3f4a2fc85a2dc3e3118db673f922

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
1KB

MD5
10e4dd4cd9169bda301c39f87be07b40

SHA1
69d1e344eac944bbd11eecd3f1899911782e8146

SHA256
b3e6176b1b283d5004500c469e9bc3d782fc3f6ee9e18178a58890f86a567d8f

SHA512
a0119cd5e19d3baadc95bfd4cf5341facedcfe6af8c5855af5cceb957aa3e8e0b67e91995b1fb8d064a357c8cb34cc6ec1ef8754a428ee916ccabe7f2feb4b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
22KB

MD5
bd7d3f30030332e9874e827665a43d4f

SHA1
81695eb0581fbcbd5f8999b451c799661b5aad04

SHA256
37d9124627a2db972ccbaf32f0099a9307e534466a00b90208c58d7bff5834d7

SHA512
d611fdb46605a8e470c68d9d4a08fe06e8f862b168f7730f86f7ccc805855822a024aa839d0f49cc122a76187c9ea8a028e7e0f4c17ae8e70727fdbac323312e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
92KB

MD5
021c3d8f2529724d06e6e742111e6f28

SHA1
e64fd4437d61467f481066cd611875f9e81d0e1c

SHA256
778380630e5759feab174a4caafb70bc4fe66d5432cb3ab6312f55882c18e831

SHA512
77742ba3f7fb4926c7db862471727db5b2ed01702928fb3d67981b31e5ae870fe836d877a2beb7abea00b3c1f51dd1e86572a7d8bbb824066ad027b6ea7325b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
72KB

MD5
9cb3e7c37c79226c123d2af224f0c23d

SHA1
9bb366cb383218a1eb056ab708634de3e90cfeaa

SHA256
f30e3e166529092eeb425fa10333feee6c3cf318733ed1362ced81a9f0884987

SHA512
d448e8a25523ccc0b77b1a701137fe6452d8182f260fa3690565ff7d24c7d55fa2a0b3f6d8f8c233429aa22ed574cae9ca762dccd0a0212303fbe16683cf45fb

Download Submit
memory/608-27-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-32-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-0-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-9-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-26-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-15-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/608-21-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-10-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-31-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-22-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-33-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-11-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-17-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-37-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-38-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-16-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download
memory/608-1-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/608-42-0x0000000000800000-0x0000000001713000-memory.dmp

Filesize
15.1MB

Download