f764842bb49ec5599ef49b615755d6db55d493ade21ca7f899f85903739e0679

Analysis

max time kernel
163s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be44abb45d42b707a00823556dc1812b.exe
Size

40KB
MD5

be44abb45d42b707a00823556dc1812b
SHA1

b493753692e5ca8534f36f52817d7df5a445e5a2
SHA256

f764842bb49ec5599ef49b615755d6db55d493ade21ca7f899f85903739e0679
SHA512

277a1e19d10f0b719c77f95e9d5689560fc6a9af8eaac4b37edb2911e7ee8ecd554c390ea07bf769250751967f56d1fcb93317dac98b9c74a1c90082055080da
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHwB:aqk/Zdic/qjh8w19JDHg

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3648	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231ef-4.dat	upx
behavioral2/memory/3648-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-128-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-257-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-330-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-344-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3648-370-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	be44abb45d42b707a00823556dc1812b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	be44abb45d42b707a00823556dc1812b.exe
File opened for modification	C:\Windows\java.exe	be44abb45d42b707a00823556dc1812b.exe
File created	C:\Windows\java.exe	be44abb45d42b707a00823556dc1812b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3648	2044	be44abb45d42b707a00823556dc1812b.exe	89
PID 2044 wrote to memory of 3648	2044	be44abb45d42b707a00823556dc1812b.exe	89
PID 2044 wrote to memory of 3648	2044	be44abb45d42b707a00823556dc1812b.exe	89

C:\Users\Admin\AppData\Local\Temp\be44abb45d42b707a00823556dc1812b.exe
"C:\Users\Admin\AppData\Local\Temp\be44abb45d42b707a00823556dc1812b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C52098XD\7G2L7EPW.htm

Filesize
147KB

MD5
67d652d7ed00de87e745036cee0df552

SHA1
ea13611c9df37598819b87092fbf84033d333f56

SHA256
b318536ceeac1323113cb32016dff5d6cb8f3ad92a409d7fa0b2ea6544ae3e68

SHA512
c42319f4b09875aacf7da5b46b3e2375c0fb1f535d4921cbc88af7ca3c354967cad40281864e7cc8b63c3f44eff4ba99b97072c9f7b39fa033cd398dfc195a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C52098XD\default[3].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C52098XD\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MF25FY4A\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MF25FY4A\search[4].htm

Filesize
127KB

MD5
51f57c2724cd13256a587dbd62726f60

SHA1
b0eae39e4f68ceae8f908678b7e53d7da491f66e

SHA256
1f2e62f56e1619063567d928e0b01127393f65189b22c3667998aa478b876ae8

SHA512
8e32d012c7578f086555ccb41c79a6ffcc3d1c41deeaed76d5cd51626f98063d10cb07996f9ff7fee4328d264de4f067295ebff312e39a68bcf3f2a921a57556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OCSF5S5B\default[1].htm

Filesize
312B

MD5
5431b34b55fc2e8dfe8e2e977e26e6b5

SHA1
87cf8feeb854e523871271b6f5634576de3e7c40

SHA256
3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432

SHA512
6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OCSF5S5B\results[4].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OCSF5S5B\search[1].htm

Filesize
138KB

MD5
9afef510c0fdb06a5a345923d274cf1f

SHA1
ae62cbd115f8a80997710c08518ea9a5a65b7da5

SHA256
40ca849f1c85cacab41730f0309d3e99dc72a78e9c60c5c3e380be4c40a50a4a

SHA512
42382ca883f3fbe88cc908c42dfac1a728b7a1451866e0412c801093ee5e35ac90dff2e2b048e3324e2d80ef356a03ec08313982a0c5a493254dae25e5c42c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp680A.tmp

Filesize
40KB

MD5
e1997445a7bd11f2562d386a41d95314

SHA1
e2080aad369fc79a48ecc9a62e17bd8671cb0309

SHA256
e02e7014b3f2133359e850bf0bb791b331af161606bac5d233bbbd95b7122588

SHA512
41cbfc724f922e053ce72a113f7449b4a6be67e8ba804e7ac1053cd90da3ee2281c22b0ab174e78a4317106613ab73771b96a81b9838bb7bebdbf11c07477ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9a965b4e0c4d939f48de61220d29144f

SHA1
3350f42bb562de527692cfefe9597f9c2fd5cb02

SHA256
28626601d606248143927d1eb98cb156d5cd0e427455e21f1fc8b7a38e8c88d0

SHA512
12070dc58ac91cfed99a3fead9aed112ff3501e7d62fd69b2b8788c9c7492351c1fa51f1b0bee91fe9c40a99ecada9cd7459598da8556ce295a251bc22864747

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
2ac2dd00b32af7572f1be3d4b66f17ec

SHA1
346bedac48f776293938dbe99aa96080c65ef1e2

SHA256
3a329b4084c8960e4c386df222e287b3f5fd620cd6054c32e482c802d49513db

SHA512
96b6daa1c53f176e9853df4d6d0310dc1b8b458253c4bf43a791e5f3892b7ba110a20f1b23c3f12a15de86c1c9f2ab283e267010bba174850b62c74036d5cafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
48a6d76f41fe647df2825bb87fbc90d7

SHA1
13c4857b9d82804046c335d8c94677e4e4d3fbc4

SHA256
ff491ae10ac2c4a069d58ea16c4bb196753364f4aac7748c59af2d3dbbc4397d

SHA512
519cbfca4642c402a7e61aa54dde750676b391fd2fdda42b2b74b4e2a9cfc636f36232f9a62a75441ce93b15a43e45883c052921905e1b6ede6e2a1254b3efe6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2044-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/3648-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-128-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-257-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-330-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-344-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-370-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3648-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads