0a8ef668c8632c9a17ae4f9b412f918959b792d0b85ea218555c3ec959002571

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd3ea0cc3893435e0f9f8c540ecbdd06.exe
Size

28KB
MD5

cd3ea0cc3893435e0f9f8c540ecbdd06
SHA1

2ea28b33b89d3f82c2f47f0b314163322cb95d51
SHA256

0a8ef668c8632c9a17ae4f9b412f918959b792d0b85ea218555c3ec959002571
SHA512

5177d68a8cd0d0c4f8db0911e32688aab4510192e232b4810a4844700e788946a6fdd4b21a7d3a682f0d98f3d90b26a0dc339f568d6ffd1cb1b4f44fef0b6985
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN2IaoTL:Dv8IRRdsxq1DjJcqfXoL

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1856-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00070000000231f8-4.dat	upx
behavioral2/memory/2220-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2220-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2220-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2220-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2220-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2220-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000021f82-54.dat	upx
behavioral2/memory/1856-84-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-154-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-177-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2220-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-186-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-222-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-223-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1856-261-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2220-262-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	cd3ea0cc3893435e0f9f8c540ecbdd06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	cd3ea0cc3893435e0f9f8c540ecbdd06.exe
File opened for modification	C:\Windows\java.exe	cd3ea0cc3893435e0f9f8c540ecbdd06.exe
File created	C:\Windows\java.exe	cd3ea0cc3893435e0f9f8c540ecbdd06.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2220	1856	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	85
PID 1856 wrote to memory of 2220	1856	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	85
PID 1856 wrote to memory of 2220	1856	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	85

C:\Users\Admin\AppData\Local\Temp\cd3ea0cc3893435e0f9f8c540ecbdd06.exe
"C:\Users\Admin\AppData\Local\Temp\cd3ea0cc3893435e0f9f8c540ecbdd06.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SB302YPZ\default[1].htm

Filesize
313B

MD5
0d0d1376df3380570c4bb9c520ab38de

SHA1
76971247133bf210a0c5047584be0dcd0066de28

SHA256
40a902c8739b322ee6619ebe215761bc432b3743f0bfc497522e581391fd506c

SHA512
7b492a86e2a1209f8963c614df12a07c889ca33eddcbcd92d59258da249bcbc89d1d352e20f7772022fea597ed23a52b062d4ac6d3ec77c7c01433aed3551c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SB302YPZ\default[3].htm

Filesize
302B

MD5
769768a36c7e2fcb2db7f35ef986ce82

SHA1
0b6699476462d2139e553f0f78ff46890d37d336

SHA256
f262291ff7be8b0e2e846525c772c214799fc26b244abad6a686c7c4ff8cbba2

SHA512
2fa0310627270dac3f4e581bef0036743eed32403f913c833aeafdf7fac373ccfb0117cabd94725dfee672345ca3f46182377340e15e2fba38a874946683ee67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\default[4].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EB4.tmp

Filesize
28KB

MD5
01876f6bc3d330ca909667ed8e9f73f8

SHA1
8424603e19532ce753ff7c444c9b9164776a7162

SHA256
ef1d2d8d30b5bc3b5c4e596971e2c448c44c652ce55e74c7ddc5d247988f4c23

SHA512
60a51cc9e6c483ef652eaec2c268e8023c49a251126e3c6e51b7e7e7119a31a7d7d0b3cf34c45012212882f3512cad1c5d92e4c9d18a482d1ed25f8199d5472e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
666404a80c5d0fbc3931c0f1a1a0c160

SHA1
8f1b06007e4afe0d3312d98b8a44055d7b503a56

SHA256
268c8b9a1a4d13b5745343712d4dd65a371804f56055d2b3a28fea6ed82985dc

SHA512
12fc0f62a532b020544f1a2f010790375eae3bb95d369a2e850270574045a6e13efc592d0753868ae2c2c640722ad2abab9a86577cdabd49eb73cf087595adf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
e0621db77bcdc504d5a1ce29626049d7

SHA1
88b951b12bd73cc2f1ffde83f6b45ed1a1c3b822

SHA256
8c7a71937b5c1c728257ffdffe197d6846c2c7c9f2e1d3ab3dcccb2a2d4fdabf

SHA512
a7741eb41cf73eb28cff6888a67204403480da3aba76db8cc72f04c8a26c21b2d47642aa795872bccb4f94e6ef4a8082e4d87a17170c8f21ef2ff0e49c0ea6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6b6eeba40aa7bd6174b9b2d3189b4974

SHA1
fafdfe1d58e690a237fe43075bc3fa9fc4319940

SHA256
bdea3d18e99cc5bd1cb15dd6e9fca3b3ad88cecc7e4cb24b99e84cb99d764212

SHA512
2f2f8f72dfec0f752f68514b63e89f84125884f97705c58f9a0838847966b1d7bc0902b94bd6aa76fed3921e9910a14bd4f07fac927d151a283c6409b159266f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1856-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-222-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-84-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-186-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-261-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-154-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1856-177-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2220-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-223-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-262-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads