a7d2c56c24e6fb9f8c936bb9aed413882c753b20459e72618793267202610875

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b1b2ee17572e478f6c9b1d40824ad08.exe
Size

40KB
MD5

8b1b2ee17572e478f6c9b1d40824ad08
SHA1

1d555a547bbbe45d3bece8af4a2580941d650c43
SHA256

a7d2c56c24e6fb9f8c936bb9aed413882c753b20459e72618793267202610875
SHA512

303a9471fc115022aa1a61ef43c6d7bcfbede9b03d788e41c278c343120a11b1dad8109ad330d6088a04584b01849d74886009eb7f9e8dfc1e3b498d2a88f793
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHkjU:aqk/Zdic/qjh8w19JDHKU

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4644	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231ef-4.dat	upx
behavioral2/memory/4644-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-237-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-240-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-241-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-245-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-270-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-271-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-303-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-353-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-406-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4644-450-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	8b1b2ee17572e478f6c9b1d40824ad08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	8b1b2ee17572e478f6c9b1d40824ad08.exe
File opened for modification	C:\Windows\java.exe	8b1b2ee17572e478f6c9b1d40824ad08.exe
File created	C:\Windows\java.exe	8b1b2ee17572e478f6c9b1d40824ad08.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4644	4036	8b1b2ee17572e478f6c9b1d40824ad08.exe	85
PID 4036 wrote to memory of 4644	4036	8b1b2ee17572e478f6c9b1d40824ad08.exe	85
PID 4036 wrote to memory of 4644	4036	8b1b2ee17572e478f6c9b1d40824ad08.exe	85

C:\Users\Admin\AppData\Local\Temp\8b1b2ee17572e478f6c9b1d40824ad08.exe
"C:\Users\Admin\AppData\Local\Temp\8b1b2ee17572e478f6c9b1d40824ad08.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7V1N9ZS9\default[5].htm

Filesize
310B

MD5
2a8026547dafd0504845f41881ed3ab4

SHA1
bedb776ce5eb9d61e602562a926d0fe182d499db

SHA256
231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce

SHA512
1f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\default[4].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\search[1].htm

Filesize
210KB

MD5
589cf3496075ef624ec6f91f5b872860

SHA1
818c5a31a3d8b3edb2657d0806a7ca03518047e0

SHA256
29ab195db2b99623c2e35f4e4be92107c54cef83429f7a244f4d94131e3ba7d0

SHA512
ff9d4f7f506394d4afed6909904c49588ebf564fe8b01985e4b1998d5ac812c6fdfbf439201f4f5001c515eee6477cd8b282f9fb6b2c9b0146955f3f964b38e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GG17NQDF\default[1].htm

Filesize
304B

MD5
cde2c6ec81201bdd39579745c69d502f

SHA1
e025748a7d4361b2803140ed0f0abda1797f5388

SHA256
a81000fc443c3c99e0e653cca135e16747e63bccebd5052ed64d7ae6f63f227f

SHA512
de5ca6169b2bb42a452ebd2f92c23bad3a98c01845a875336d6affe7f0192c2782b1f66f149019c0b880410c836fc45b2e9157dcccc7ad0d9e5953521a2151d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GG17NQDF\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UCK1SA0Q\FYYGPBB2.htm

Filesize
156KB

MD5
e1c3bf068bc225329c186873f55bcc4c

SHA1
7126ef13b80095621627355148600297e9546d03

SHA256
6f4ff4b0b2d7bb163009a2351b57751df5aa171001062fc313d6337872ce8e62

SHA512
8288dbaae4e20cc698252cde78a3d4939d88075b8e215a9a1f6d07d7f8fb760db2bd7a0027ab99b3b5f722a9a33ae4d58a0ae434a9cd353e7151a532cfa60f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UCK1SA0Q\search[2].htm

Filesize
170KB

MD5
1eb006c97a90107dbf7db89aa2a367e1

SHA1
a2615dbb88a65acf7decd3a6527bb02186e65f27

SHA256
ae0d5da9a399a9c29d721f914f46b6a56a3efbb9c9aeb75342822a4a4a12680d

SHA512
a0d0df7e7d81f5608df310a0e61c484525ad4e5461ab8bd2a8bbaa378a494bf526bc510bd7363f7fdf2bd054d4d79a217074523ca06baeeaea049e914935e272

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB77.tmp

Filesize
40KB

MD5
32a9ef29ae9b31ef416e70c35c419d48

SHA1
2c7ba7e9d7d580c98e653a2a098a9c6ff1ca926b

SHA256
a5a5fea92b503aff4d6dd3d015753069982a106e6d613fd4921de5696f8964ef

SHA512
335b89284e6b5babf8f9ed1abba812c5c1b320789e03b6e226cb96fb7633fe42f16dc2c862d6a16839376133b85f8738883d7760506525bec2a38ea006626597

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f59dd9135f0d30837c0c0ed75d20baff

SHA1
a6107a781aff59f8ad96f2ce65dcbb4b8c03a7b7

SHA256
c9c1101fa36f731d7e80b2f9346c55e6ec788b62884910d5631fe21c1ab7e8c7

SHA512
4ac10fb5a4327efd33f2a7ce4ee84c34f53ab2fb25d8925ff13bbf219889d9eca5b2db778a20e495d7936afc64edf97ab037c525505182cb861d30c936f6bdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
56d62cb190c8f848519098056dda51ff

SHA1
74ab8737cbccedea17201ad634a3c959360e4a37

SHA256
d93f1e0e62dc5b6b6a26774912d31f86ed6d8ea8a8ab5a9210c8b72350dc1b13

SHA512
758b077fb2b23ba92419e63fc8d8d5f0a6c466e255066f2533bb92ef7fcd5e1265a68e377c113fc441205a3a37b9b1f03ebebdd008cd5e876d86bee57d933719

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f2910e6d9625dfe6e89ca451e9bd86f1

SHA1
ec12439be5a4c9bfc7cb1f1ec702f11ca0b378eb

SHA256
8c4a7be0b0e625df8e0fdf372449149a14973660aea719f3eb61614556852667

SHA512
c345072734e9ba0dd85d86e3e8d0560df4ad0193301c925ad96de27ce70f4e2f1e7e941ab0a186295de6b69e299d38f2a0064c53105a621378eb621b6ac278e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
24d0758838d7a001a57102d6f1d27c12

SHA1
9d0bf10165d8309f3f28a6585430ebf5fdac43ec

SHA256
dda151e8cb4c3b1cde192da756c2209710f0fb93a74ed82a07ab2ee9a8271236

SHA512
57d5dab7149603a26f835a14e495bf086a18c998d8562ca82282a745065e8ed8154f0aa8eb0f27a10edbaf638eee1062e04db690cf73cea6e714b46a6f163a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
66dc91e4c8bbef677744d38a9f728e03

SHA1
c67ef9ea43ff75dba97e8b239a2a12d23d248753

SHA256
a315251d346bc5f263014dcafd57aecb0f7e09ae532366e793e9e76e67335c82

SHA512
b93435c5f5bb1d0afcb3298cbf007aece5df4eaf78f8a87ad525e7e3ed17f61458771a890826bc8de7547403e5f386f95ef4f6d4f3bc24b681d6b1c86bd250f7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4036-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4644-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-271-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-245-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-303-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-353-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-270-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-406-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-450-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4644-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads