181b3144d1080ccfa187864402c5aff7624f99f6ecdf79e4863ba17534b9356a

Analysis

max time kernel
53s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 06:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

42fab879a3bcae151498f846fe4248ee.exe
Size

40KB
MD5

42fab879a3bcae151498f846fe4248ee
SHA1

90275309075d2448580bc20b23dd3e627f5e3e55
SHA256

181b3144d1080ccfa187864402c5aff7624f99f6ecdf79e4863ba17534b9356a
SHA512

fa3b8b232d090b59f7fe50ae841f468f24208a3b4ecefc31a17f5d0bee5ac90568204e1383f46a2b4253a7b1efac1c467b2370faf8607a9b3eccdf3704aac32c
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHOH:aqk/Zdic/qjh8w19JDH0

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2884	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000b000000015658-8.dat	upx
behavioral1/memory/2884-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-256-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	42fab879a3bcae151498f846fe4248ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	42fab879a3bcae151498f846fe4248ee.exe
File opened for modification	C:\Windows\java.exe	42fab879a3bcae151498f846fe4248ee.exe
File created	C:\Windows\java.exe	42fab879a3bcae151498f846fe4248ee.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2884	3020	42fab879a3bcae151498f846fe4248ee.exe	16
PID 3020 wrote to memory of 2884	3020	42fab879a3bcae151498f846fe4248ee.exe	16
PID 3020 wrote to memory of 2884	3020	42fab879a3bcae151498f846fe4248ee.exe	16
PID 3020 wrote to memory of 2884	3020	42fab879a3bcae151498f846fe4248ee.exe	16

C:\Users\Admin\AppData\Local\Temp\42fab879a3bcae151498f846fe4248ee.exe
"C:\Users\Admin\AppData\Local\Temp\42fab879a3bcae151498f846fe4248ee.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
360a92b180f0f8e247e1aed5d30a81b5

SHA1
7034a7fff11d823cbb2739bc5853b74c1dc084a3

SHA256
3c595908ad767ab8f95ea363644d318fb4cff07ec721e4ef30c3f7a1ca1c6a5f

SHA512
b43516c3beffa3188f8ad6f197f8bc8aabdbe9ab0e190145cf52e0e84843b9890042815df5fb673199f4146e119fcc62fcef38caeb2df669a9d08966939ea9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b7f2ac8eb3e89869132c617fe9156b9

SHA1
5d3c96fb6bd8ebb178893eaabe17fd8d99132d2d

SHA256
d657f26e1c3cde817f577d2f1ad11ebf2422afbf08a17249ac3251afe59005dd

SHA512
23751a4fbb9827b4fda70ab997d77af461bcdfb62f6d68166966b9d427cc6610294218f7f9cc27dbbeb4f1e7a29b4e39262e7c7cb3ffb7cbe753721c4dab64c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e567ae6cec4c18f3e9478049c73890a4

SHA1
0048aaf4263f8ae6f33451e61447a2bbf1492c30

SHA256
b02eb20eedc92dc75c5ef7fdcc833cf4f8f169a6b88f8e2d194b1e94914774c0

SHA512
225c514ca5321ab2681f1621527a8948c7d9db28b134559e3ae5daaa3d743b49aa97835661b7246b2672188358c44e4a86e3780b3882a14af93a418067e6f8e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8407c024208641438b536520b88adc5c

SHA1
2aa1abbd8e1b5e80b76552ea459a943516855f24

SHA256
465d45c7ea161003ce8416be88733e2c5baf09addcf19410644e228bda09724e

SHA512
818f4daf6fb53c201ba813a363ee6caafa7f51736fd36ad8caa677ae9d4e9e6add9929bea4d702d4bdfeb8cdea48f2bfe3d8fd33246d556834db253b4aaa05d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6IJYZ6B5\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LFTKP12M\default[1].htm

Filesize
308B

MD5
ccfe63b884fe4225fa33f618a54ce37a

SHA1
bbb0778c1597eafe7fb9c5c65412f8ab04b2e311

SHA256
f7dd5bab49466a4cdb6a7f5a0e07a158f7a1567bd809ed745812469775b33112

SHA512
858f345503c89ba075b374764145fba5b1a9d3440d1628edeab0a3e02cc7cbfbe1119c20747026e69d630ed262d3c91c5073ef06823cf727dfcb11605c7c5ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2151.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar272E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp28F6.tmp

Filesize
40KB

MD5
4b5c82ac32a8a151cd22ce8bb737e476

SHA1
dca0da9dc26e96bee058d7a433c69e964e2fa0ba

SHA256
792e3d77e8aa4cbb6792120870dd14f7e8408e610f5f70fb3aad93fc4740f4ae

SHA512
546a27cc399d3f6bba63346801e7f9756fc7594c04b059d7c925deed7d992a0d878ffe30df2a81bab637471d047acae486d7808cc9b1c2bcf65dc7227c6bdde5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
95803d69e59f051b37599bcccf105f31

SHA1
1ea2862d99646613f388bd70113e2d6175185d4e

SHA256
e98b75753f9cada773d9faf415227b991a892f9c182bd698da87e608888baddc

SHA512
69694d3b499e74914f4f14323250baf8d288c57efd1550c63b8c2ec51dfb7e1d5ebf03a50a7c40428db759cbb59e170529b96494421fa5d6aa53b135501dbaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a2d17c257d70c273876b7f6da95c8826

SHA1
76f4533c4252295c91f3189b1be50760da31a3ad

SHA256
b72e7319c1c4ebf3cab2fbf95201ee899f58f0fb5eac49f5c84779d9b1849501

SHA512
8850163189c6e9ef7386e8954b5c5f708f88bed9ed145c91397e0db1b6ee790f41b47e974e004ed30e4de34459c3db69b404bc5315d3e977a48438b0030de48f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2884-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-256-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3020-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/3020-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3020-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3020-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3020-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads