8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe
Size

40KB
MD5

d7e03d393178399ba82b3947788786ee
SHA1

5b41ea540ce2b2c0d06d67ea1020ac42c13dbe42
SHA256

8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91
SHA512

d211ce2e4424dac2d3c2500b878c283c818534048d9fb19d66e092df33398f244a91eedc47f366b6b81f2944aff24a29a53892b7bd7f7da6a129f78cd1fcf3f0
SSDEEP

768:Gq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH97+9Z:Gqk/Zdic/qjh8w19JDHa

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e0000000122bd-7.dat	upx
behavioral1/memory/2444-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2772-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-59-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2772-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe
File opened for modification	C:\Windows\java.exe	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe
File created	C:\Windows\java.exe	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2772	2444	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe	28
PID 2444 wrote to memory of 2772	2444	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe	28
PID 2444 wrote to memory of 2772	2444	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe	28
PID 2444 wrote to memory of 2772	2444	8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe	28

C:\Users\Admin\AppData\Local\Temp\8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe
"C:\Users\Admin\AppData\Local\Temp\8fabcd806eca779d92463b01fe732611d4e41627e1ae37b7a4d52ab0d5e98a91.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a5384e18333635c22c6db302596f3dd

SHA1
044bfcee92b0df790e0bf9db6c75f969e2b4f526

SHA256
6f020874cd45e8ff85407e14091259456bbf1f3c556833bdfeb9df4cbcd6d11e

SHA512
fe17a42c26b4043f0272214e9dc3dc25873a3b61d72844353712e5d60fdc0351999e400c077227489131494876766c5f25b3fe54b850fc24f11f7539854a16b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32f11810ab79ae0b1b4ed04f36b16288

SHA1
777bc61857665e3b845caf5f23468e636947dc89

SHA256
d894640662867e823f0b49ac2ab0e28ef032ca8ff31c87bcacf2aaff028d0c4f

SHA512
7349b80fd478dd230765adbbb85ff8dc103f83c4b3206f6d3fdad633852d9060d0b335ef0daf122f152077dcc8fde860122450803018fd7f9002bea7f813de25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce67e9307c5612a4e6f8813b4f1d8232

SHA1
d5d6130191cd6e1f8ba116168439869253a77c0c

SHA256
6a9b9c8c29f8210a0e7b600fe24652276161def7006fde45812a6407b9e1169b

SHA512
6e54d8e5f9730c72770bb9879ba6c93e62f49d7d2264181f51df425d4ca97ddb82ea6e1e6655b45c2d070b0edf727fb8326a1ddded0ffaafc6f1a6d32f327a01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65a13855b7893383f91e018a5f19b38c

SHA1
5adc59282006d34d5ecbd7cef71a0f8cdc0b2f22

SHA256
08d53f9a5f33305ebffc247bfe4e04a66550d7ee4458ed3a3cc9292708ac473e

SHA512
e320a60f6657d6699f63a2b2cfc3aca47b18e99c1ae50483aa8d21eaa98c5234e59b1a8f10018faac6adb2d82a49d98f53ae9f14af61cd8c20a47e205cb31ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cac5349d279e7192c0926ada82e35664

SHA1
8f7a40b9063b5c32db74fc3d6a05d425df93cbe8

SHA256
fdd05e169a685ff5611495febf316c1f002f6996dcf1309c3f2e3fbbc7b8fea6

SHA512
580c136ef358fe26a77196b8e41f6bf4c9a735186fae6b06ca10489716db87e02f68af84acb39d31cbe4a63f7f4337b6d26c728477a9ef46920310159b9adaee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7fa3506172314f67ca4b9c201102ea6

SHA1
58e8bb7aa9840c31e6cbe2359540ca8923e269ce

SHA256
c4121ba767e05ba5ffe1198a3826dd5d47e111d1b9875469744c8f5d8c652aa8

SHA512
9661d88e73e47b70118f12c59496c9c0520ce3be16b9352882512bffdaf453d965d6d9f59403d6da803807ea17197b57fbb646f36a8bc4ca08b9a94333682e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8243.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8256.tmp

Filesize
127KB

MD5
1599db6cacf3a382827dfeb71cff9b52

SHA1
6cab87baab3b68c5f80a0fe20830eab2da20c9ec

SHA256
c7ba3ccabd8e5577aeb20805f09d4adddc2758092db8bc389f78af5ea9eee920

SHA512
647a453850382399c928b1b8ee752245dd97099242144626ca5ab5c20fe5e5285cf2f10e8a827d2506d230d6243a55dbc957a2c4190856d2c3f91457098adb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80A7.tmp

Filesize
40KB

MD5
43ff2d03d757dee8a0afa13f94db3264

SHA1
3e5ae41522025770804b4faeabae4630650cfaad

SHA256
be503835a54b0e3e070cbe6262744bf0b06f81bbcf9acdadd25d5c86c0bfbbf5

SHA512
20638eb3f37fbc0d3de2ef58323f48ac77b1ad3e6c24c118b242b98a2768ba70c3bbaf7dc6ecd2832b35b03a77b119eb40d4e3c34bb2ecee6e23e7970441a59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0d72c7e6310cda46adbf673663a80bc2

SHA1
c80d210da0f17bd0fc6785cfc41db316ce4e74e0

SHA256
51875fe7fe0aaf7afdf21c235b78bca36f281a81ad7ef3bd3eb295193a3957d6

SHA512
9f9f498a015308f9c450ee4f5c60af8a849f2bd1c980b9c8c0aa3c57db7ef3912f7a99e0004572ed0b2eda4509f64c911cd36ca75c62199d275d2032e87602c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4e5b31c3a7117c9ebe6e6e7f3b7d0599

SHA1
ffa9310a4d4e667d348631bc7a73f1b05cc9cc0c

SHA256
53d2d1f137b457750649317580e8baf1a5bc650e7dcf84f18651a82f02f1754a

SHA512
4de83dc60f1e5de7901f2caf7a78e91e4d456d48463462e78a555c8ee01859c182b3f2ce422630e8fb8ca57f20f0c80f2799f3e0253f2a440235f59ada4a6611

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2444-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2444-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2444-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2444-21-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2444-22-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2772-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads