195688fdc5454fb7f6ba8188015e395bfe86876a9c0e28b818944ee264f0e77c

Resubmissions

21-08-2024 19:30

240821-x76q3sweqg 10

21-08-2024 17:42

240821-v92h2avgpj 10

12-06-2024 16:01

240612-tgps4a1bqh 10

Analysis

max time kernel
60s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
12-06-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
Size

41KB
MD5

2f0ded84c37387024cd7145bd7e64e88
SHA1

61803770a6bdf2aafb3f7efcc3c135d63ddd55b5
SHA256

b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695
SHA512

efe39f1abf0c1ae5662c95bdcc7022e5982069e7656860356643eabf4a567639136125294dfd3ecbde72e0853e886a88b5d085d8c757c7b63f67cb000b510848
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4892 services.exe

pid	process
4892	services.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral24/memory/3040-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral24/memory/4892-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral24/memory/3040-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral24/memory/4892-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral24/memory/4892-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral24/memory/4892-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral24/memory/3040-25-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral24/memory/4892-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpE9C7.tmp	upx
behavioral24/memory/3040-182-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral24/memory/4892-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe

description	ioc	process
File created	C:\Windows\services.exe	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
File opened for modification	C:\Windows\java.exe	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
File created	C:\Windows\java.exe	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe

description	pid	process	target process
PID 3040 wrote to memory of 4892	3040	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe	services.exe
PID 3040 wrote to memory of 4892	3040	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe	services.exe
PID 3040 wrote to memory of 4892	3040	b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
"C:\Users\Admin\AppData\Local\Temp\b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1ALNH8SR\results[2].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1ALNH8SR\search[9].htm
Filesize
130KB

MD5
20ffe5b3275ba193b375f39e510c8478

SHA1
12f120574e3c48d0a05c440f5acecb35fd92363e

SHA256
df377f563215ea453c050827d39674ccad9dc6308e10ca50071699359ce25f80

SHA512
14544702ddd7258635532e28faa25d7f731e5a56aea9cb6c61c76490e723bcb1d12c79c62a017c0b8b634838053267793c78be1c04f44f214d26e2c661c97baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\21CR7UOX\search[4].htm
Filesize
164KB

MD5
3a74cfb10aa7296ea4df1ab55d615bfd

SHA1
54bab52afaf27f8ed6c47350b6fe0f507c4d79c5

SHA256
8017c0a37c67a5c3a8bfaaa5ff55a41ee6236eed37c2b20a7e98c43aa226701c

SHA512
1375218baded4ec6b62aaae716cd7ba3cadecdfa4539890c81c3588edeb4fa7443cf2cd5acfea82b3aa063175f6c50096c2b5b54851af4214c21a1d14d81cf37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NDYWT7Z5\QIOVLRTT.htm
Filesize
185KB

MD5
78249f2742c36a1ac9eea84031375032

SHA1
9ee9d997989de94698bf2df2e9e1113fd6ad3aa7

SHA256
fea7656038f5a9baf5a08d963caf98befab65954b5117c13d148c429af9408af

SHA512
9c463b444fa74184846f340e7fb3b3f647c3568d844f070f69e582e34b10cb477dd908a9984fdb42ea837278c59a4aeda035a9043d4836f8958c9c339603a744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NDYWT7Z5\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NDYWT7Z5\search[9].htm
Filesize
142KB

MD5
2d525b56006f4de9a458c3c792fde43d

SHA1
6913fb4cc678c5ee63bbadce90462d5e7482a29e

SHA256
3e672f35802ac4aabea4b7f3267aae7c14f38e3a4c208d1d58dfd9a349d632f0

SHA512
c69a5b64ba5ff4405f79627bc20f8ca6e4aac2b41bb445b27f88387e98508b92ec477a739b2bb9ebcac56ff3635a9cd51d0c0c3be269a10d0612ca0c718eed5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RJFWFK7E\SDJ4HMNX.htm
Filesize
185KB

MD5
ee10daab64acbd56206a2d3f3b8f71f2

SHA1
32e2a2729e789a469adfb658317377fb66f7da51

SHA256
6b0dc4bfab2678d14bfbfdf392aa40f455f8101a5b464ebab12b8784f8b5786f

SHA512
ba66608cfadc90a13066295f1aebe7ef48416aa281e15a2d595dcd0da38bef5c189df27f3e81691758e4cd127179ec7ecfddc76f78061ef5a76490976c24c49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RJFWFK7E\results[3].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RJFWFK7E\search[6].htm
Filesize
139KB

MD5
22fa57607c842d39b5a733aa86e18526

SHA1
f5ef113b8e6a355b0efd2a72397cf10473f5a0be

SHA256
e8e16710e24bc2d43ffe2cd136986731aac3272e45a7c435b01b86abd34a4811

SHA512
cb5e227730681032f2831cc87834f37871eaac115847e5d7c65707303981c11a429bbb2e3cab59ee5f09b8100016a3d887011d9d41bc5b7d8853c749bc1a665d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9C7.tmp
Filesize
41KB

MD5
36177eabd00da10afbe43ae66867fb4c

SHA1
9ba5e78b2f545376910dbfecf8e41b89b6d433bc

SHA256
3816e8894041e82bad606c242dbfd197c403cd50d6f9d47230562bc5787d94df

SHA512
d745782b2640d0516c111f4f33bd5560125d1aab9208b217bd24915402d7e4774bb6fab241c10b7cfdf2ace3dcf7428495d501bf23de63c0692fbb3957c85abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
128B

MD5
8b0a5d4b194088fe591db583e89d1c2d

SHA1
413dec821c5295e821c02933739c5c591235c9cd

SHA256
2e396911527e6d2be98f101c58532c312bac19bb95873925fa8aaa489164197d

SHA512
e7f7c38ee4baa698f487401154e9c5e48c783275b5b991d883cc61155e641c352bd48b7fda10e9249c3b3d65722a1018a5c5db0e10ee656f09cf4195ec308e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3040-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3040-25-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3040-182-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3040-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4892-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4892-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download