Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 01:16
Behavioral task
behavioral1
Sample
5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe
Resource
win10v2004-20240426-en
General
-
Target
5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe
-
Size
41KB
-
MD5
64276638075d3cab665966be7f366682
-
SHA1
3fb9c599d5dc9188332b4a9c0f1262c07ee24699
-
SHA256
5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a
-
SHA512
1bbd7440a14f8651ef4433cdda3a48071024838688f8ff88a0688cf56f28854232446f655731a44d1f02f1e572697e132f06c92dfa170825433154042be02826
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2332 services.exe -
resource yara_rule behavioral1/memory/2400-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x0039000000012340-9.dat upx behavioral1/memory/2332-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2400-4-0x00000000001B0000-0x00000000001B8000-memory.dmp upx behavioral1/memory/2400-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2332-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-29-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-41-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-48-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2400-52-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2332-53-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-55-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0004000000004ed7-63.dat upx behavioral1/memory/2400-76-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2332-77-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2400-80-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2332-81-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2400-82-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/2332-83-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2332-88-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe File opened for modification C:\Windows\java.exe 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe File created C:\Windows\java.exe 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2332 2400 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe 28 PID 2400 wrote to memory of 2332 2400 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe 28 PID 2400 wrote to memory of 2332 2400 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe 28 PID 2400 wrote to memory of 2332 2400 5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe"C:\Users\Admin\AppData\Local\Temp\5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD560b9ccda7406fec061b69778c8ae4ec7
SHA16fefa40773cde72347fcb4e112504865118b94dd
SHA2562d6361272adbbf410f9308fcad173be453404829b0a1cb7cb2ccb61f5611b51c
SHA5120919b4681f245f683ffd909d53b27bba4910f3b941fe4e1adc45dc8bfb5a3a90fa6c0e558588291e2fc072ec35077c7d12632c8865163f372cafe1e8ddec350e
-
Filesize
160B
MD5de53d2b1143e490bb5ee00f8ff898027
SHA11731b59b2d3952f4d92f550e09d8948f0ca1b9a3
SHA256027300636306623c2044aa0516ffd4aa6eae019dfe7d76e65351dae73649b828
SHA512bd3058db4632cdf72f591ba3db1d75b6ffaf99e08cc446c0edf99b013789bfb971f6ecaf5a585c358e52c575866ecbb833d4f0857faf1be43553e86922644655
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2