26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe
Size

40KB
MD5

48b94a59b3fd593b47dff6fea4733a2b
SHA1

0707f719873840e7ca0094885f87064f930827e7
SHA256

26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47
SHA512

b8fce8c316ec4e99cc2e47cb7d5f366ce87563194d1d0a0f9b857dddb6b806697ee4aca8e506bd10bb461945adfd844c3ad1efc1c78a1e5faafa8006b07cc3c2
SSDEEP

768:Gq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH6I:Gqk/Zdic/qjh8w19JDH6I

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
828	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023232-4.dat	upx
behavioral2/memory/828-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-196-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-215-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-218-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-222-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-262-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-300-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-337-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-393-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/828-441-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe
File created	C:\Windows\services.exe	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe
File opened for modification	C:\Windows\java.exe	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 828	4564	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe	84
PID 4564 wrote to memory of 828	4564	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe	84
PID 4564 wrote to memory of 828	4564	26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe	84

C:\Users\Admin\AppData\Local\Temp\26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe
"C:\Users\Admin\AppData\Local\Temp\26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\44ILYOBS.htm

Filesize
146KB

MD5
7168e17391d15354dcb161bb1af9c08a

SHA1
41e46d82583e59976a75fabd98fef5d2fa248663

SHA256
89a94b6406268f7a7e8acc55091e021768afee927377567da0ba8324143d79f2

SHA512
8cc89eb90b0fe7cbe51bfeb7fbc9872bb04af33a9898e5d60b59e0cc299c43c7549167239eef4d5ac5abb4ba1df1975b43ef2c3d790bee9ddbaad22792af4ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\search[1].htm

Filesize
9KB

MD5
ca4f9735b0f811eade481e69a18617fd

SHA1
f0b179289b2efc7d95a9e1a4abca6d1229329a53

SHA256
e8db79d3a3f3f004e5338c9b17a8cdf23a2811733276952425d997ece41cb109

SHA512
41e20530ec4c760888f53f60d387d22a8c0651911cc16bd067779caccef45b43a1cd7bedf9914a2e4f0926d0791c5a67484109c84520184a946838f41ffa88e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\search[3].htm

Filesize
169KB

MD5
3eaea631d01be3863d14f7c819244e71

SHA1
130a85a85981706c97be253e783642481b643225

SHA256
807f4526beff81558e16efcce8f723901aba170002ee132120afb62857fdfc01

SHA512
669f6cbdfaa2eeac1cfdd855092af10da4fbd847c8fda7f60cd4a8223333fed03e030120892756560cead7bcee14165ab8693194430ef6417c85198629cc4fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\default[3].htm

Filesize
304B

MD5
68b8c190a6eab85ea8f4835df8de79c5

SHA1
43832bc2b2457c1431ecbb203f471a21c93ab69d

SHA256
834c833dc3ad979c81ed54b4655d98f59bc679682a6738a3490355ccec21f7e9

SHA512
98bf33e57e5b94a70843489837de4773ae6c709b1e6b77c27280af04c30c33918c7a513c05c17e60e868d13cf8394dc26ea04b000c812d9601edd990b7ea5cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\default[5].htm

Filesize
313B

MD5
0d0d1376df3380570c4bb9c520ab38de

SHA1
76971247133bf210a0c5047584be0dcd0066de28

SHA256
40a902c8739b322ee6619ebe215761bc432b3743f0bfc497522e581391fd506c

SHA512
7b492a86e2a1209f8963c614df12a07c889ca33eddcbcd92d59258da249bcbc89d1d352e20f7772022fea597ed23a52b062d4ac6d3ec77c7c01433aed3551c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\default[6].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\default[2].htm

Filesize
304B

MD5
267ddfdbb8d492b25de208d84b290f1c

SHA1
9f57d9f19f25549e1232489a0c101a92e851de2f

SHA256
ef1f87447ae1ab45548d2934cf0dbd15a32b86359ff9fccfa48d76c1badf6586

SHA512
0709aa62d39d419d335183235dcf328e1dfe6997bd9bfbdeb01bb050df8dcab63ec2d4f46e4718ab389fa8e12af66dec2e3019c8871ac6e40927a25cb706c6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\default[3].htm

Filesize
311B

MD5
215c230635335623c6b1bf5b3b84ae0e

SHA1
a98de5bfab1eef2c02b4578e5d7fd3dcc1141481

SHA256
26b9da0ba2f737d0a226ab6d5b934b0e519aeda10f497cd4738752761ccb7af1

SHA512
5ddb80d7d4fd3d87865ea541098034cf216df76dc34bd41fca62f8c9a21218f1cac5d8a5554e2acc04a2b1ceaf839e5847d14c54f052c9eab43fec28936225da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\results[1].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSO8CY24\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp173E.tmp

Filesize
40KB

MD5
48b94a59b3fd593b47dff6fea4733a2b

SHA1
0707f719873840e7ca0094885f87064f930827e7

SHA256
26d39fe53e724e0579350064b8f695d03b6cf0cb28a9569767635fa64ece2f47

SHA512
b8fce8c316ec4e99cc2e47cb7d5f366ce87563194d1d0a0f9b857dddb6b806697ee4aca8e506bd10bb461945adfd844c3ad1efc1c78a1e5faafa8006b07cc3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
24a330f93e04933bc781abee68d86551

SHA1
d03cf79b7e257900f89e690e17c841e1074df833

SHA256
db17e66be2f164a9240e0b51a10ae6dd48e7fc53b0785ad276057ff7102eff28

SHA512
d5ce30d15e0abcefaf752b0114daeaebf7ef5f19d73cfa0875b87e8a434a3fc706dffa84b1f7db631430025f8ad361c91a65a585de81044b81f0c14f6f9a070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7877c91932e34dbc51dee1a78926c902

SHA1
80b3962dd084389d32965e06de312c12563c7c12

SHA256
c16005c42e3ac937ef0ffe2d074e7d24fc2d1e06abe45cce79d18745ef47b4f5

SHA512
a79bc5d5573a6dc9cff107d53cbb1b606c0fd1cb8863c0eea50be8a18e3760c48424d5ee9c72bcd89cfd145c976bab20fdee049314816bc5907f7448a2fadda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4749f2b154dd72ad825ebf3dc29978e1

SHA1
db9cc63e2031b40afbaedbaaf1e600f661fcea5d

SHA256
e3ca975903bebe7050c998322b495fe0d6ae325fc2a5f066c7e894fb3b213ac9

SHA512
29d239c462d6d1d10c93d8d9e44b9e873159bf05463fd6188fe8829f72ebead22f27517d0cd26f724e11d6bee3a218bbdfd750aadc214854f4ede355af3dac74

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
cbdaf22598b8faabb038f071617f360f

SHA1
03b1bca8ef0fbe85b775ba7cea0259b5f1349aac

SHA256
847cc832f859987d81339ea05018ecfd56940068e6e19338e793b2b4f2859d50

SHA512
ed334eb809d337a3d85e09d13e146cfdb378551207ce7346d925c1cef4d03036c0948e3743ae49cae16f84dbae46d3a08bf7e54526f03ae60478b538fe7dd67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
84952e967cfec405dea26f5669b3c93f

SHA1
5979e9ff5b523f3cad97bd177e5562e226f7505b

SHA256
93e8254c32f6bcabc68c73d1fbeaf2e2388aa1dfa20b70934f4699c0a10d08cc

SHA512
d599e660efb4c3e71ec33695070aa140ace1301ad30a9f16942917008b6ca1abeb45b44f0b1c5940f84f17947997bec752dc8e246a760df0c827616dc1b138c0

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/828-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-262-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-300-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-337-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-393-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-441-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4564-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads