6d92a407d6e9cdd9b192ed6d44d605256d697853a70b4559161fb4ded5f003a0

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78c16c55c85f96d89832aa167999be4e.exe
Size

28KB
MD5

78c16c55c85f96d89832aa167999be4e
SHA1

724e8fc0f2f388b37a11b71672213e21d078d86a
SHA256

6d92a407d6e9cdd9b192ed6d44d605256d697853a70b4559161fb4ded5f003a0
SHA512

ac5b0cbd2dd4be2b6c448304fd91ac5ed02ca7eeeed0716651a20abf942a3ff804e597696d9932383829e6a7b4faf42889803dc6b603e5b9ed4c1a299e45af96
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNsGA4k:Dv8IRRdsxq1DjJcqfRGTk

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3312	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3544-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00070000000231ff-4.dat	upx
behavioral2/memory/3312-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3312-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3312-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3312-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-30-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-35-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000021569-41.dat	upx
behavioral2/memory/3544-133-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-134-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-155-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3312-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-162-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-202-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-203-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-237-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-247-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-283-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-284-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3544-318-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3312-320-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	78c16c55c85f96d89832aa167999be4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	78c16c55c85f96d89832aa167999be4e.exe
File opened for modification	C:\Windows\java.exe	78c16c55c85f96d89832aa167999be4e.exe
File created	C:\Windows\java.exe	78c16c55c85f96d89832aa167999be4e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3312	3544	78c16c55c85f96d89832aa167999be4e.exe	85
PID 3544 wrote to memory of 3312	3544	78c16c55c85f96d89832aa167999be4e.exe	85
PID 3544 wrote to memory of 3312	3544	78c16c55c85f96d89832aa167999be4e.exe	85

C:\Users\Admin\AppData\Local\Temp\78c16c55c85f96d89832aa167999be4e.exe
"C:\Users\Admin\AppData\Local\Temp\78c16c55c85f96d89832aa167999be4e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BUOTXRX9\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BUOTXRX9\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J6M39GIU\default[2].htm

Filesize
302B

MD5
769768a36c7e2fcb2db7f35ef986ce82

SHA1
0b6699476462d2139e553f0f78ff46890d37d336

SHA256
f262291ff7be8b0e2e846525c772c214799fc26b244abad6a686c7c4ff8cbba2

SHA512
2fa0310627270dac3f4e581bef0036743eed32403f913c833aeafdf7fac373ccfb0117cabd94725dfee672345ca3f46182377340e15e2fba38a874946683ee67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K44LV95Q\default[1].htm

Filesize
310B

MD5
2a8026547dafd0504845f41881ed3ab4

SHA1
bedb776ce5eb9d61e602562a926d0fe182d499db

SHA256
231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce

SHA512
1f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\axeNPq.log

Filesize
1KB

MD5
7d4e6c8ce8413ba1856988fe8e8768e2

SHA1
efbcc6562097b78754e09b1188cbec0e6d0c03b3

SHA256
771db5c88343e61dcea6f9cc534e334230c2b4f99ca15f3f32f95a15f9baa0fa

SHA512
3bbed35e23a7f7253bf9ad49d767a3a0b9a51b44e2d1d06e278492bd9f93db969ad43bc169e971f10ab1b81842959ace37a2eba2c9d70f69103e17767ddd374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5752.tmp

Filesize
28KB

MD5
58d2cc46d3f6c3fccbca47c82bad16f2

SHA1
e480961d4d9a8062e3dcd8e99c6a1fca21e43f56

SHA256
668dd33aad527effabdaf126076d4a5b948ca3d7dac173081445f6dd053b2fc0

SHA512
93b365ac38e95f5596c1ca0c56eea4b7f6b91a4fc1c25edb2ee217ea29c4f7ce65888a6e3ccb0eb9016f1c6b74ed9ab2bbb15a071c28cdb0ab4c2f940e8e2ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
515d328ee823de8256e2990fee867e8e

SHA1
96f7354118a0745e229d4599061fa16282d15faa

SHA256
4a29d16f1a885ac78aed301a43e6da0dc449a430362b00d8be03be10268cbeb0

SHA512
85eeaf814b477e5e04cbba681f612e5042bbdb6f11a00fa6e2dfad348217107119fb791be54bb856cd2a2dc1259c091017f5ae929ac624f5fdd9cdf94e52e0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d7282cb2e6a3f3c06404736accff123b

SHA1
edc3f73a84c2bcd4b9d47399f1ab10ed69aa4105

SHA256
b502a63949a10af1a58208dba042bdfce4b45a9e666471de7bbcea43186f7038

SHA512
1c3d0052c6d2f01773cd03227cb69e6b7e68c475362ec5575118673c12f5d61c156d067f75138acafe4d56a6a8930684c28c70ef3f8723852d166ab5ccc640ad

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3312-203-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-320-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-284-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3312-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3544-35-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-202-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-237-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-162-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-283-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-155-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-318-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-133-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3544-30-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads