7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe
Size

29KB
MD5

be2fc765a6b42a4266cc9844123e2a0d
SHA1

dbe3e5f50b54e7c33ed6fbf986282d2d95f2cd41
SHA256

7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22
SHA512

7873f8530f95de9ce2e8e4ade2e9050b3a137fc72a35d1523f0d49de5eda56d01543386c7b468598dc18ea5f2134acd1ca170f498fc33a9ac6f2928081800d98
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/q:AEwVs+0jNDY1qi/qS

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4600 services.exe

pid	process
4600	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/64-1-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4600-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/64-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4600-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/64-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4600-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/64-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4600-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpE423.tmp	upx
behavioral2/memory/64-239-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4600-240-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/64-339-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4600-340-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4600-344-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe

description	ioc	process
File created	C:\Windows\services.exe	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe
File opened for modification	C:\Windows\java.exe	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe
File created	C:\Windows\java.exe	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe

description	pid	process	target process
PID 64 wrote to memory of 4600	64	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe	services.exe
PID 64 wrote to memory of 4600	64	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe	services.exe
PID 64 wrote to memory of 4600	64	7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe
"C:\Users\Admin\AppData\Local\Temp\7e67a314e74fd76d160419afa7cdebc6f052c29aa665ea626471bfbe0f0bcd22.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2PB2KMGY\N0K4EF0N.htm
Filesize
176KB

MD5
b1935e3e7350451d7600d9e790c521d4

SHA1
5a42b7bc51edcfbc6a0e36baf9521551956c1a56

SHA256
d05b9919bbc002bee9405a9dd2f1a329b86e0b9d5d93f0fc917caf58f25c4d3b

SHA512
8adda347fb5a1d2a1caa20a70fe7effdff40e0185f5e8371b9a9b2fafbe49f2a16a0a7ed9b38440be150a9e526068ce6f44f5ac6ac112fa2e83684ebde8e42c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2PB2KMGY\search[8].htm
Filesize
131KB

MD5
8bb220381fb2510d37791bb6a22a8b6f

SHA1
bb067faca1a788d6dbd902d6892c08e400676e4a

SHA256
aa7df577a49a3e6f0c43f0e4f95ebb9a029e11fe30b27220de1927b02001d177

SHA512
145df510b60bdead4a3d879b99f6ed6f5acc894d60496605a3ac6ed18ae88a092f87b9143046673e7fb548ba07b8356f3ab79299b71a1486d2bd14d5f90aa3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6DEZ09S4\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6DEZ09S4\search[8].htm
Filesize
105KB

MD5
f2e18d415b5f0ad75f72893e63d01494

SHA1
c9fe2e7967b6a85b7fac8f587c2d1f08f0ad87ef

SHA256
017cfcccfb3b5edaddd90bbbf14016f529ae07afcdc37fb819684d3aca489773

SHA512
fdb3573d7806859b7ec2b1915102209c52c8fc1b69b7efa230a75a4694cc52e5d74d4b1aea974255a09af7d72842c28d6c1067693a696371ffbd7d132c0d1d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO42234Z\searchD40IOB5B.htm
Filesize
112KB

MD5
3e819598945e178c1f0ccf95c39495e3

SHA1
a1e6a5c49cdde1d4cba7b29c452485f3649ef8d1

SHA256
e25aaaacbbfa9b01d7bf12dd310a78c4eb375cfd1f065f00289e05cc34d1391e

SHA512
b6068075f14890795ecec318d6fc95e9376168d9eefceba2a3c412f9c8120bb897f2a8e9d5f172980c34bb969b1cdbe672e69aff6b6c633285f5dccedb2bf50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO42234Z\search[3].htm
Filesize
134KB

MD5
dc6f0bdb41b12a31535d98c58cd0497f

SHA1
6c2a6f8a81fb2728628aec3bd1b9f389242e8e9c

SHA256
c1fa3af0ff0a9ed79f6d6d95c7c8fbf438187447cae8d8d5971e9c9612a519cc

SHA512
c3e423a46019c46891f371028a99f01ea1ebd4bc105433cb33fe688c30165ddcee284bddbf6b9cb6d6bbc022576e61fea9f575a9afd453fd3dde80ee791ab25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K7TNQP8W\results[3].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE423.tmp
Filesize
29KB

MD5
07236a8c2e7ea8aa552ec5fdffd93085

SHA1
b7ef0ebaaa4544a64caa7554c392450333118720

SHA256
c1f29a8a6a46537a02313e768153b4f4694da1c9512ad63402c5822c1ad9b54e

SHA512
191cfb4a8509e388f2ab808255cead0ca5cac7457ab43c598d23526925e89e81f12328f49f95df5a5f700e2df9871e17706ed68b01365eb5039b7f126f4f134e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnxxqi.log
Filesize
288B

MD5
f358191685525ac0de16038c890a1c93

SHA1
747347663e5740ffa4cbdbcfcf4f0451cbf7e12d

SHA256
882a30c61a1b5f3f42ffc6a8f5859d1d581698651442f0ca4c1136999062b33c

SHA512
dedd2769be86fadba8ebf4af360a4b0c1ddba130c0da332dc918f61875a0d034468c2d549fda644889f9b6157af4aec4fe232e52bc9ddf6b68cdf2605ce9e144

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
320B

MD5
c48307a892f6fa0e15126cbd5a2a13a2

SHA1
8d2af8e86222c2e34b10beb56365e36293993234

SHA256
7856376af8cfc0320a6b65a6c667dc6decf9a7e23c1233c32b801cf5482d748e

SHA512
946b7a628ca533886497d89712006b5a0d00baf7dc97b7de3b0a90abd398dce541c183c154802127bdfd7086a000790b40058a5814ecf625619e27344f5d14e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
320B

MD5
8b4ddcd190cb2f3cd8ad55d015324b3e

SHA1
41307697f756665b52027a02fddf1e2c51c8cfbd

SHA256
95d6c7c7ba13e315e0a449fde59d543e1f57bf893c0ea9df2480917a923ec5c7

SHA512
171d2dcb7e205a2415f25f0f2aee16655fca41e7cc07d47c2d6d3c08b1d47d65252285812a74814803280ccbf93dbdad4fd15cb5d6e9fe5494b59513afa67d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/64-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/64-239-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/64-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/64-1-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/64-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/64-339-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4600-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-340-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4600-344-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download