81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe
Size

29KB
MD5

18cacc04775d10233db3859e10fd93b9
SHA1

0db90bcd7d1f5e6439c31d61e36fbec26f4a5935
SHA256

81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4
SHA512

67216abbce67242e255d7c06535950fd6d5ef8919cd8d180c51b5fd26f1da90ce6a81f48b401d21993b0b636049b6c53a78f7a75900b69a0c673bf6c78087008
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/4:AEwVs+0jNDY1qi/qg

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2368 services.exe

pid	process
2368	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2476-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2368-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2368-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp1F59.tmp	upx
behavioral2/memory/2476-79-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2368-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-261-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2368-262-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2476-263-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2368-264-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2368-269-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe
File created	C:\Windows\java.exe	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe
File created	C:\Windows\services.exe	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe

description	pid	process	target process
PID 2476 wrote to memory of 2368	2476	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe	services.exe
PID 2476 wrote to memory of 2368	2476	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe	services.exe
PID 2476 wrote to memory of 2368	2476	81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe
"C:\Users\Admin\AppData\Local\Temp\81323cd19e78a537ceb7480a33de10e376d50768edbdab2f2a838045445ea1d4.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[3].htm
Filesize
143KB

MD5
d4b0dc9eb6d0101bf97729ce6db0966c

SHA1
f05fb8eadd5221794cb634eb21d4957257970899

SHA256
59b2296f4af2fde99efe094a0ea83513d90d3cb3261d99a75222e6719aeabf73

SHA512
1903da5a9d93ee8123a51be1181914843e360b575eb44ff9d55f7e4dfd706b869bba8da90238e6aec335daea38207c77c9558f850130335cd666a2b88f5ef36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search[1].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search[8].htm
Filesize
146KB

MD5
d2738ddbc5628286b021c63b539cd11c

SHA1
0739e92cce91a7f351d55cfe0003753e9550f816

SHA256
23ce4a05c222b0041d5cb353d258a3f05825c0d817ffeabd72e0e1b2a302c396

SHA512
47aaf37ab6593d7a86c14ead73611b20cf2f4e5ff70e2e697242dcbecdbadd400e614356fe24b243370d09a8df76715fbce5c4927869ab6de580d1c8ecbb24aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\65RG4CDL.htm
Filesize
176KB

MD5
2a1a2275635f046f0e8a97bbd7bafa19

SHA1
2b2a6419703c223bd299e97309c215fed49421f9

SHA256
7d0fd82cd73cf48a8b86c4ca697084cf89c48584e09897e6de8cd7cfd827062e

SHA512
da21b9f1dc1c25f30264c0951e09ad4732453f3ac5aa25c39e609ef22f5d948c59be9d471e156d0506c618643ee62388ab74b5ac1be9f63db51c8c0da8404d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[4].htm
Filesize
135KB

MD5
691e791d2f43ff80ebed5be268080443

SHA1
805edd109a9f8e7703feb6f68ccf3cef3804815c

SHA256
ed1edf55eb11cdd64508fea7b260578940d525188f90fe6063d8e172ebe74352

SHA512
bbf583a6831676807c953bd5bae3eb7ba8464b7abb4d76a7150473758dbe94cf679f2da64bdcc78dbf448596fcf669d6e3efd58aa1652abe1c46c92453c258c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F59.tmp
Filesize
29KB

MD5
1a494d1eedc2cbba8ceffe4e31027d63

SHA1
4b586cd8e98b96d807967c9f563587551726227f

SHA256
1af44a0fe2bbcce49f56673a42771b5e5d01fa295d59309e76e68027a1d495db

SHA512
818fd96b0ded455ce73102842a2a9d71545fba3cc1fc7dafd7a5ef606aa00c8cabcc760ba6f1f83187595bf5c5c118f9c9b4ed1894b2f137302db901646957c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
320B

MD5
43411210208a594ec6a19da47f5571f3

SHA1
53b19468110ecb05601e5dd7c6e103c2656790de

SHA256
b24677c7a88de780dd953494aadba3050a7e02ecdad78ff4082b0b7e8d219714

SHA512
e94b34023ab92b43283c9575c97e8780f0418139c9a79b50c473a7112aa6b00cabcaf509ffe3626930e20a66886b80a6ce7af452df48da81d23eb758add6592c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2368-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-269-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-264-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-262-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2476-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2476-261-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2476-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2476-263-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2476-79-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2476-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download