Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 20:48

General

  • Target

    418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe

  • Size

    29KB

  • MD5

    4d9f4342989827321199b81d8c3a18b5

  • SHA1

    057deee8b99e7c2b0d61f1706bed44fc93c4d9c4

  • SHA256

    418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8

  • SHA512

    2161d894bef9991a8840e9659f3196503299effdb450e97b8e3801eb5336030adbbe8b3a8f8205d4a9eb54f3ec793f99d79dcba14f85b684181014c14cb5d117

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Y:AEwVs+0jNDY1qi/qA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe
    "C:\Users\Admin\AppData\Local\Temp\418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3012

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    517c224499b18bf1a855c2272efc0d6d

    SHA1

    347732c02f25fe5f907117e6cb1552cd5f378f67

    SHA256

    02b6908f6abeaacf023d0f32915d34021bf56a042ff5ac7c14e1548819cea882

    SHA512

    e0772a6bd4f40064f479d7e979bf775e03998f650cd06ff1b4e3075d683fbce5a05733a19c158d0625f1f3aa61522f31ea653ba115b82b5eb1926d0b9a4cf0bc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    06d24b38b9690ad66db05df0244cf115

    SHA1

    7b3a6223f781c085c1ff55ca160b3bec9341b15a

    SHA256

    e1eef2b4d8b077024a72bca35929414be153fcf0b8606902d6c724c970227545

    SHA512

    90ca4f1c28a08691c3cad4efaa347cf6ae64a6801cd2ec5ffab50ed1e195b8585fcca8ae53ab6ddfc0d080a8a0fef2a096c2ddf7ad096d8798ebd84f305c492d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\WLK1MSBD.htm
    Filesize

    175KB

    MD5

    07652a521d9beae66543f35af2c558a7

    SHA1

    a1169af92b3a6336ec2c19f35625e0e41a18ff2f

    SHA256

    79d82db82272fce10c408e2ae380e6464b8fdd9d97a69b1184274b6450582182

    SHA512

    d8d52607a84d47b4e68f92f4e76084f21081e1441c1372d7f8af736afb3d81d7687f73b6095db177d57af291fff6a51976340656008a4ff0093e52c152646d5c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\results[4].htm
    Filesize

    1KB

    MD5

    35a826c9d92a048812533924ecc2d036

    SHA1

    cc2d0c7849ea5f36532958d31a823e95de787d93

    SHA256

    0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

    SHA512

    fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\search[10].htm
    Filesize

    155KB

    MD5

    1f52c48aac6e999bbf1eca857c887a14

    SHA1

    472df1c35120c99eae16cc500becb3733b9f865a

    SHA256

    5a947966a8410f6ea201a8b99afe72dc4e67de15d539a789a5f4a5681ff4754f

    SHA512

    4b724f8d86e31c5cea1444a6059319c74f3424497a1e4822e3baf63a54032d4a220dd35ba69688ef20b7c27ef9e81bfb3045f1405c003f5026fe70114fb7cfd2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\search[4].htm
    Filesize

    152KB

    MD5

    28a2d28b5b2ef9271adc62b9a8225d78

    SHA1

    9cfd759256f27acfb1f519e7bf0a026ca4c51f37

    SHA256

    74d53113bc6c51e0380bd6053f0869b0e71a01164d5fbcb63c34c1da5360739e

    SHA512

    a039c1f75e0392961e6332cf8c05c2282381ed0f3a835c92fb6f3ff5efe8bbcfd6849aa7d7cafc66723cc14dc554b40efd9f026f18c9f776d7c34fcd8bdef744

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\search[5].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\search[5].htm
    Filesize

    172KB

    MD5

    040109c9a1d29f1a39bc7728afb30c6b

    SHA1

    6ed322799bf026f13751c046f29d2ad02bc65005

    SHA256

    417a01b2e9da32f332d72eaa933414cfe09adc9f2732d1ec1c52aecae030ad7c

    SHA512

    289beef535088dff8ce8ee0a66027518e99c56d4526564b0af9feda49aeb44f8885499290138a0e44814aba0e6f8c2f5bc8ff528355371eef1882c0443f633d9

  • C:\Users\Admin\AppData\Local\Temp\Cab22C8.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Cab2318.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar237A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\tmp25DA.tmp
    Filesize

    29KB

    MD5

    84661125c7c0f8f4005decfa5af9fb19

    SHA1

    fde1f6bbfb2ff6246eb442a35784ba4844b34d3e

    SHA256

    e7604e4518437cdd32ec2ae801ea7c02c6179893976a682d24ad88236d75fb41

    SHA512

    1c31a70535b0fdb8d1722dffd5f63a2ccd476f1f9c66ec23740123a938ee584495ce33fecdd78ce1be4a77530a38a41ac45ad040cff7425daac09a621ed4db80

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    60046b29a0f807956b35db638e2ef88d

    SHA1

    a26f500bb6802c56ba456e75490b8ea21e1715f2

    SHA256

    f5020b57fbb5ed0000edafb3b8e27461b3336d5384e9de94962af6610e3e91dc

    SHA512

    241837daa36c634721329cd11c7a281c7da0cabb8fb78fea75961e9360370a57da3841ed653fa928656782ebda82582840104066184350344ca9f29572221b29

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    d730ed427459ddc0c219f4cb9b282fbf

    SHA1

    04eeaa108cb57631c98b2b194091486ab94b5f94

    SHA256

    16e909c8f9d862c3cce507ff479d76d95e465940cf9ae34cd4587a33591eb082

    SHA512

    f7832f92722fc5be6976d80258e2c6389282f6bdc16ccedae9b70b69ce896a441e4f3c86b13f62b0a0c84b74a2244ff45395d711fa14aca183230f347c495e95

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    6135e4007cc17f7dd700275d6154f05a

    SHA1

    104b356ab873ad0a8607e3aa68035183a308f8c8

    SHA256

    265f12bae0e5b5d7049746a0489d05deb3df6c435d42665ad2ff4e9beed79901

    SHA512

    38ed18ae7f6f95d365bf2aef50ec847340a72aadad90b9960c177b23cdc2380d7aa5fe9620b393625a8a6952f922062499f4031a18bf55524d1d07947c3ba714

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2252-2-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-482-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-60-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-36-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-64-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-267-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-69-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-41-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-71-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-9-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2252-76-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/2252-10-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2252-25-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2252-24-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2252-17-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/3012-30-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-82-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-77-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-72-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-70-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-65-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-268-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-61-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-42-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-37-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-32-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-23-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-18-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-11-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/3012-483-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB