9f0a340e88ac887a2aa952a543ba032e0f8dc06fa7f158e1f38ae8fd76080cb1

Analysis

max time kernel
158s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe
Size

3.5MB
MD5

93ad02887e486f489b1156c368d685e9
SHA1

9ab1f0c6e202c39961e1230b4e0a4de4fac4a2ea
SHA256

7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124
SHA512

c73008b80de0797efc5adad177077bacbe8439bfcfef3c534fba109f31b7ef96e7190f7d35620c73da24dd7608694debc2af20f195f1cbfb15823e3e225882dd
SSDEEP

49152:5AYiVCsdEB9Z0YRTlO5hAN71TyXC++E5R7b/IWuRRKA1lfHiF/ipwCfz4mCKa4ys:5AY9x9KYRJuo/zIrGblr37pC4yePDqQ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2128	plink.exe
1468	plink.exe
3188	plink.exe
4192	plink.exe
1216	plink.exe
4776	plink.exe
800	plink.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2036-0-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-9-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-10-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-15-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-16-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-20-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-21-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-25-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-26-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-30-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-31-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-32-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-36-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-37-0x0000000000800000-0x0000000001711000-memory.dmp	upx
behavioral2/memory/2036-41-0x0000000000800000-0x0000000001711000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe
2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2128	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	92
PID 2036 wrote to memory of 2128	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	92
PID 2036 wrote to memory of 2128	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	92
PID 2036 wrote to memory of 1468	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	99
PID 2036 wrote to memory of 1468	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	99
PID 2036 wrote to memory of 1468	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	99
PID 2036 wrote to memory of 3188	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	104
PID 2036 wrote to memory of 3188	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	104
PID 2036 wrote to memory of 3188	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	104
PID 2036 wrote to memory of 4192	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	109
PID 2036 wrote to memory of 4192	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	109
PID 2036 wrote to memory of 4192	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	109
PID 2036 wrote to memory of 1216	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	110
PID 2036 wrote to memory of 1216	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	110
PID 2036 wrote to memory of 1216	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	110
PID 2036 wrote to memory of 4776	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	115
PID 2036 wrote to memory of 4776	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	115
PID 2036 wrote to memory of 4776	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	115
PID 2036 wrote to memory of 800	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	118
PID 2036 wrote to memory of 800	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	118
PID 2036 wrote to memory of 800	2036	7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe	118

C:\Users\Admin\AppData\Local\Temp\7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe
"C:\Users\Admin\AppData\Local\Temp\7da10a26035af9b255ce6d21589777083e5999d794a858f86d936f41ff172124.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test37733F314BBA069CBB2FB00D5207FDA9; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestE385E1CB11BE66B595C98D5486AE8C5B; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestB4D7E15D499D32648986DC02336CE38A; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo TestEA21F4FC2056318E4532195AAC3B3EA8; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test5E3C6172F6BCD6199682D05245CCF15E; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test7F2F52EC8A1DE08A5706E09785EEE9E1; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe" -v -t -pw "Xooviet0" [email protected] while :; do echo Test48EFB0CF7029F8F1CE41A2C03AB54F7E; sleep 53; done;
  2⤵
  - Executes dropped EXE
  PID:800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
acdaece20a371cfc5d3b31ed90bf9cc9

SHA1
e58eec80b024063710721db5331e90e4c7198d84

SHA256
d9b4dcf5cc14724839f8fb673c16e08146994d3340beba5fe3594e0fa2129c03

SHA512
5dcc66093fc5307d836c9836927fccf7a6b46bb79d900725f4799c6a587ec11074db2a2efa0450ac865e1a627f9ca96a9fff08fddb94955cd414e107a684d25e

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
9d3b67316408de18f6001cc67e3c9750

SHA1
4573bb25198092176f6489a0eed182444fbef3b0

SHA256
e2af330227797aed2eac9fc4e76c5a1e4076e028756264926318e63f38f66d0c

SHA512
9fa95e0f20812f591b23a2fc1f2bd846c52892cc77cb3345c6f44164fc4dc399e603d79925cd2b9e13df5531087e79d9eb87c43b4ff81ea840270148ece03ef7

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
dc1e70e21783dd3c32e81c948223cdb1

SHA1
2f3ac3998557417593e99a8ce661d9d1af128396

SHA256
572a40c7ec626c1d028a044601a3fcc95977bbfa832c8c1e2f89758bd5ecc03d

SHA512
35c5baf3bb12c35c2edd0517e8aa2fb4a61e61bb9f698317091239ef9e606764fb42a8199d536c8752cca0b37112fc421496f6157aa502af69b515b36464032e

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
9656ca1a8634f0b2733d24b258b0f5e0

SHA1
1993f422a55e93d373e0e757ccce08e7cab598f9

SHA256
c4a1005a1036025f27e0aeafa4bf378b895e41aeaa76c0834c5968bd111b42b4

SHA512
6f814baa9e9614ef3b94c5516d6c1127202c4f4332d57172fec1ede783ef5ce4e288e597fb9846b31ebcf334fd3e6d1e5828f0c744e6ef87f99feaa619c696d6

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
d30a7508a19fa727dd606f1c9af4047e

SHA1
d43154d70052783fe613e2218077565aeb23a25b

SHA256
2d80d746d7afddd907af3b992dcfcb27d206be6382b40fb6c435c7653322c915

SHA512
ba0c80e6e66cee7023e84fbacd2543f738688739eb9fbc6a0392fa91ea706a9633f31f0e90e5f8c9926bccb486c496058052b4266598ed330d0f824b228bdcfd

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND

Filesize
600B

MD5
37f6ed18b2d5878f9c7c43b94f694038

SHA1
763c277ac2bb437e3c716bf3973346cf6ebfac26

SHA256
b944e18b325527fd495bda43f13e23ff1728cb8308376a5fd132906728d97de2

SHA512
d496488ad42f83937d43ca5f9ff9f8ec02e301aa73f73102a3a7fb0c7c6d492134fb1f7fbe5bf7485ab3749f06d96a4a4aa37d206f9ff19f188deba3dac92a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
533KB

MD5
528248ae133191c591ec6d12732f2cfd

SHA1
7806ad24f669cd8bb9ebe16f87e90173047f8ee4

SHA256
5a21a83dfb5822301896a696f3a1a3e8207bf541e11cd1f2bbb7bc666251d8c7

SHA512
157ef9972baa3b088addba8b67610b597ea4974e4e4abb9dbdb60c031c543183b3e16384a61ac1b4982bb11fe6cf13718afe111222848dcc26c4886299b2317d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
152KB

MD5
3d2b67a0a6168d37fd8661aee9d6c26d

SHA1
84080bd985ca1257af6d78714fd131e3d800a859

SHA256
5893dd774a146d093cf64f46a4b25d14b96b735bf082d02ad94b1eb929a9c90f

SHA512
0889ef4f10e59524ada50fd1aaba10c1dd87c20da7279ae8c0be2d1d2aca1450f2c1abe0b8510d96ea40d5f6237de4927fdd5767114fc49039efabe8e5fb2ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
90KB

MD5
c93279963cdc79783f25dbd866d428cd

SHA1
d63e9f213540189999bdc9d16f605f9411ac3f06

SHA256
3bd4ce0a2338ff190c299ccca8b821917a0483718089b6678131eaae2f265bd6

SHA512
45ab8deb6247b4774a18d0a7a06f3192b9daf5c2d2ed05777109721ec739cbec8266bc552b50ba6822031f076e71761ecad84b4a98bd8f66575377de53dbbde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
41KB

MD5
592fa75746bb31ecf92313c2abd13f86

SHA1
63b7a505726d8ad26524e50476e53a05cd561810

SHA256
b86c9bb09bf2510e8dcb61987319b5d6fb1a173ef15093d6b3d8c449a8579ed0

SHA512
24cf60a4dbc7d53e8e299c398882bd705b5b9d5c9c17e4b39e97a2336c0ef2c8307340ab604ee302105e359f84a4c25b97e81cf9d671d485c168b29687a65875

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
138KB

MD5
5e69314979acd00215dbf9205771ecb6

SHA1
ad0b2cc3f8e6fdccca6495a55ea08dd055324717

SHA256
8a3f45550925d1e42e616fdf8e7fb6852d6c5de5b1b44fcf855e23b6e70601f6

SHA512
d73530add1662a5395a1c4b65faa3120bdacce4f312eb0db25de24ad5c9ebc0621d04a446889be149b9f246243f1e62a1808c02fa80016ccfb3013c88f71570c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
148KB

MD5
8e1cdc1ec1d310af35ea465e2babe962

SHA1
fd2c7526b1c5793b6d943e8ed0958f6b3083ebc7

SHA256
a6de6e922210de1595c64ed4cccc63942484cb8d2b3ab601168884bf121c4c1e

SHA512
46905520c3942c64f42e2d0cb28d460327416e0b9de0a342df12d687e42376f3e3a43f8b75b10add470650f384654ab57fade794a7d19cea3eba676e30d107a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
417KB

MD5
4010e08a2ff79e3f8b3240b36bfc1400

SHA1
82175cd8b43c3c7ceff79b2605d5afa6012a04ae

SHA256
f170cf44f42b99e952490c0d5e08cb67517fa30e8e1742b8e6d5f4a9cec5bfd4

SHA512
55404c3e7942e5e6e6dcd72985f97101dd07d3bdf58dbbc3fc48c0fef78370635c6678b64bb9048b2e3c4dfef5925dadf79bec5723a09e75b84fcdb13cfc41ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MartemGWS\plink.exe

Filesize
252KB

MD5
0a1f224557dcf2d2a10448ad221f57d7

SHA1
78ea3c1e7a22c07866d74d37442c0c0110885779

SHA256
5c064af06181f4db08c3ff0531736f3cd83742932a25a8ff06017edb1b6e6a64

SHA512
35ff15c7d4a6e43689445185c053c7b52c343ca7b78cb98d160507d03ef6314fa0072d9fb464a5977651940d7be163a0bc628a0f19369da6b1a55e7653e3c20f

Download Submit
memory/2036-21-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-32-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-20-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-25-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-26-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-16-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-15-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-30-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-31-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-0-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-14-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2036-10-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-36-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-37-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-9-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download
memory/2036-1-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2036-41-0x0000000000800000-0x0000000001711000-memory.dmp

Filesize
15.1MB

Download