8026620138c04f8fbbf156b406e4cfbe00ba41a7ed214e478203ab801aa21910

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 09:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bca78f398288025ebd7dc7855e66bcd0N.exe
Size

29KB
MD5

bca78f398288025ebd7dc7855e66bcd0
SHA1

19b8852d78bc85bb4a295529b07a1307126b8f1f
SHA256

8026620138c04f8fbbf156b406e4cfbe00ba41a7ed214e478203ab801aa21910
SHA512

42230b5bc031f66d784833749e0f3dfbe74376dc7ee11268124d676843d129e5730ccdb462e37179b20f545c9d846152d016dda28d8b69bba2ed9bcbba5831be
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/o:AEwVs+0jNDY1qi/qg

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	services.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1624-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023451-4.dat	upx
behavioral2/memory/3064-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1624-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3064-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3064-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1624-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3064-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e0000000233a4-63.dat	upx
behavioral2/memory/1624-121-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3064-122-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	bca78f398288025ebd7dc7855e66bcd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	bca78f398288025ebd7dc7855e66bcd0N.exe
File created	C:\Windows\java.exe	bca78f398288025ebd7dc7855e66bcd0N.exe
File created	C:\Windows\services.exe	bca78f398288025ebd7dc7855e66bcd0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3064	1624	bca78f398288025ebd7dc7855e66bcd0N.exe	83
PID 1624 wrote to memory of 3064	1624	bca78f398288025ebd7dc7855e66bcd0N.exe	83
PID 1624 wrote to memory of 3064	1624	bca78f398288025ebd7dc7855e66bcd0N.exe	83

C:\Users\Admin\AppData\Local\Temp\bca78f398288025ebd7dc7855e66bcd0N.exe
"C:\Users\Admin\AppData\Local\Temp\bca78f398288025ebd7dc7855e66bcd0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\0XWDBB5H.htm

Filesize
175KB

MD5
2e11fc26924c0fa2196824882f3696ea

SHA1
a94d62bcc27ece373cfa7f3aad534bf5765ea532

SHA256
65e904676b8c3b7664a7e4f59645e68cc2cc759ee7049260d1ba863a2231469a

SHA512
ce750105e09edee9e6278434629c2b84c5748f15277a5200f9977e893e69e4ed8340e0557f89ff3caddf7378a6b121583897d19fec117b23510f72cdc067c516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\9FNF2GBH.htm

Filesize
175KB

MD5
853d687ccf7ba0659c1bf35397feaa67

SHA1
e676b6b94087c50c60e5d7165799af4fdcb9c9e0

SHA256
a8350af9360a299e264a05eec1489b807136fdc2d53176ab82b9d958b1af8817

SHA512
d69a61a19cf5c7b2ff68815df6db531b037b6f91044b67bfd2901ed75eceab45152e329e2deda754efa7ff2e54486edf078388e5f2275fd013209cd30866df81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\search[1].htm

Filesize
131KB

MD5
1af0cfbae2a184c8f73e92a3cc2fa334

SHA1
ffc9395f4477a8b510fcd7f82799cca5e36b6f53

SHA256
1d386eff3d3ea99b8dfdb359f895c510fea1d495b7c8eaa5bd64066cbb6f170d

SHA512
4cd3fea9c2f1dd16452cf947a82be77f45bec40f05ee5f5c013dad151196315f2cac61f2694b40fff862c38060a9cdb89cbc26758666e3432b09882389a1e136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\AQATB3AS.htm

Filesize
175KB

MD5
75592d58893081931fffd4507be562d3

SHA1
4d775d3c71f5f57dc010bb8c385f1cf02d739a5a

SHA256
bda19e5adec790d64bcebbd3ab7ca3fe617e82969d6a4c9e1b560ab2690bef65

SHA512
259405ab4224f8183203eeb1a9ca935492c874ef660fa25b8fbe6c2bab69906ed050d1728c974d26a5a91a789e467b04ad535016f3582fdb50c3bb2d11ed17ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\VW8QUQLI.htm

Filesize
175KB

MD5
8720588a88d0a9d483a3e6bd90fc2860

SHA1
a872394460dc0bc90454885e47b0aee0f57f825f

SHA256
894c45c7a0d5400052a37ea395fd84d45a02bb380b72ac7ea2d2754193053334

SHA512
502c3c997866c01c0c7b82fc90b6879c115205b045e2dcdde19d0776255de94e770ae122e764a232a051c68ca70c1040a0c0450eeeb7c216eed5a5a284b28c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BD8.tmp

Filesize
29KB

MD5
ce229e446d1d8597600d7941aca75a7f

SHA1
56c1a0cdad1ef77d8aa796d47324c1813181a376

SHA256
dfd92ac64da8026368a05bcd54ec75aee984d5afb2a8cb4d6d11c62766247503

SHA512
a95346a59589d5f83153d55695d92c111b60f2b06e1a1ff082ec4059917ea74af75f4508cb2b96538413468e7de1754a03d9f5d16c02fc60a985f0ffa4f3c7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
8e0601b51170d2ae0702af72c31b5f74

SHA1
fe4ac94d539f018e62850b6a50ff440facea0faf

SHA256
73be723f03bc34e8f9f2d01d325995e28dea463714770e602eef23dfb17fd080

SHA512
eaf6e96753311263a13c542ac825fff7ed3b076e80e4a2652093786a554c78b8f47b6acb8e38925e74793e8734736bc2258628f1668def6521f4a752b39c4676

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1624-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1624-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1624-121-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1624-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3064-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3064-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads