83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe
Size

29KB
MD5

34fe2f3697a086dde57b114a52d3a087
SHA1

f2edda1a4f48f3f61f7b6cbdb4efb71248a0ce93
SHA256

83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b
SHA512

19aaed95afad6c3310c5bf23903fc719a91987d7739c0d52c5134788d2ba4561ca46fa4a5dce9b8f10522b9291ac90b0e187d3c83b501d017c800237a5124d90
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/L:AEwVs+0jNDY1qi/qT

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3916 services.exe

pid	process
3916	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1552-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/3916-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3916-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1552-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3916-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpF192.tmp	upx
behavioral2/memory/1552-273-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3916-274-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-296-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3916-297-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3916-301-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe

description	ioc	process
File created	C:\Windows\services.exe	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe
File opened for modification	C:\Windows\java.exe	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe
File created	C:\Windows\java.exe	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe

description	pid	process	target process
PID 1552 wrote to memory of 3916	1552	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe	services.exe
PID 1552 wrote to memory of 3916	1552	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe	services.exe
PID 1552 wrote to memory of 3916	1552	83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe
"C:\Users\Admin\AppData\Local\Temp\83ce1e384ca8acabedb441634d6d9053f00de91260dab0dfd7081400d8d1013b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\5DLBUG4W.htm

Filesize
176KB

MD5
5464037f3df4eb13d71073cff989cac5

SHA1
2f73077a6a24268b2ec49a47a899bb03d2685352

SHA256
dbf6699146a91c4523361f259c7306194d1738da4244802b153b59ec0f886d3a

SHA512
f2cff72117c6fa7318f82194398e339cae0d2a2b5da942345f4d5ae7e9d728f40b07c3fbd485ee27c5cfe1b0cb374d3182eff297eb538d653c0f0f7b297c48dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\search[1].htm

Filesize
153KB

MD5
6fce7a93a417777ed64e7f324cb611d3

SHA1
d0c7e8227e82e7a1d71f7d18db8b2dc9b9f93e74

SHA256
a3f4432333b3e0d518501271dc60778f1126ec17d9cd72ed6c708f09b9660311

SHA512
0f817848ec1c6ec924f901d409692d847ba5d6613193d5f97f8fe5568a8cb31b3a38863691d7a82b52a5e721a4516cf59b2c4c14982ae1913bc5d6d28e55f0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\search[4].htm

Filesize
137KB

MD5
f8d8696d8750bdf58390b445135bdf55

SHA1
b970a81a7901db7b58f4b63db6296b9b25fac343

SHA256
d35ffd7598b8a89bdb215f7f74996469d39d3826b1de0d9304b948117ebd3bc8

SHA512
7cdd154182e1d44508ea59b2cca3cf1773def9238bc5f8c69498536133b60026d1bdf2147c11826cc4e2db93636f0a2f0d4a52bba08d01d41602fc9a3604b886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\search[9].htm

Filesize
100KB

MD5
8709acc2b23cf5c5e5996a059724bd2c

SHA1
a363d126a9c7e82cc513930e95eeffd54feebe12

SHA256
4ebd82cf54c11622b506b7e55a980aa047ed83b211e5a1849d1a0aee2fc4484c

SHA512
61a921dabe355e918b952e05a2334f87beb9ed978790887add95cc5dd649e8f02c0d6182d1f53cd3f15fca99435308c8a3fcbfcdbbebe74fdb85a78a27edcbc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\search[2].htm

Filesize
141KB

MD5
2c2a742317e73a29f11f99202fe99508

SHA1
e84953dccff0e8a68b264e6d4fd962a166292314

SHA256
4df6797a98ea51b24f9448f2972ebc43babaf4c6136039fa971bc5f5db583a57

SHA512
375dcaf54558dba34546b461c74ee50826ccde33b3df37b9b9abb6082347caaffdcf9a441bfaae0b97aa2a5e9aed2a4afab460e029acd187499eb0e52bc5c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF192.tmp

Filesize
29KB

MD5
9d6ac629b8f60dacc892558fedc7eade

SHA1
bab2394397cfba7d5b2ad17b3ad9d746a7fc326d

SHA256
878ddd13b27426f78c35e7982a05efd3b27c1a13e531a7561354fd8cf29d7333

SHA512
76ed00e1c7c879c5543c165e15a23eb12c816cd05e1850407e37c1ff3378e9fb32f6f5543cb3a946a410e5977af8faaa3e219cca7a60be7ee83b156ee1a0df5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
55e29c273b90b023a4489b3834d5f622

SHA1
a1f46784bfa2a75a6a9880d2424d2d043c4928c4

SHA256
70541092fe45bf0882262897579681a198b1ba9d4884ce900d49126ef740a290

SHA512
50051ec1c5435c653674e26428ecffeb189c5edf73c5ebf34026b4dc804e690f33145f33d7f4597c65673dbd764809a1a49e7b737143b71f44dd6e169a711bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
e84bc2966e060bad50624bebd5f37c4d

SHA1
5e90a2005a12cf9df339fb8461adc790eb8172e8

SHA256
23aab3c6b21e7b20eb13b0660568b89b532047b191678981752e4c9342422e5d

SHA512
72c7fdf5982db7c2b2ada65b756d5c7ba6e4f2265af499ec62a4617a7f92dde3a6f30306eafe379041ae9d35fea5b5a1a0a5e909be7d718730c963b478010217

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1552-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1552-273-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1552-296-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1552-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1552-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1552-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3916-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-274-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-297-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3916-301-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download