43f33ebf187b9f3a986934d320e84df8e6da4e90c68c6928a778309fada53db4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

letter.txt .exe
Size

29KB
MD5

0af3e56a2b63cf3eadbc06d351f6d6bf
SHA1

f67bd0030a6b2f5fd3eeaa4d5404fcde67cffe91
SHA256

43f33ebf187b9f3a986934d320e84df8e6da4e90c68c6928a778309fada53db4
SHA512

dbdf4027b64d8b2a50bcf25656e3ea049575e7ef7c2a67bd1e4f163e5a4c69c117cc7bdaf0dd7653a026cace4fd1a73519d9c0352621afcfdb0fb24a0a271570
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/DZ:AEwVs+0jNDY1qi/q1

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
760	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1756-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023449-3.dat	upx
behavioral2/memory/760-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/760-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/760-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/760-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/760-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-35-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000500000001e73b-48.dat	upx
behavioral2/memory/1756-230-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-231-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-248-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-249-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/760-251-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-255-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-256-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-285-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-286-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-287-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-288-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1756-344-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/760-345-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	letter.txt .exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	letter.txt .exe
File opened for modification	C:\Windows\java.exe	letter.txt .exe
File created	C:\Windows\java.exe	letter.txt .exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 760	1756	letter.txt .exe	84
PID 1756 wrote to memory of 760	1756	letter.txt .exe	84
PID 1756 wrote to memory of 760	1756	letter.txt .exe	84

C:\Users\Admin\AppData\Local\Temp\letter.txt .exe
"C:\Users\Admin\AppData\Local\Temp\letter.txt .exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\9C3BBQXS.htm

Filesize
175KB

MD5
6d34c837898f25a9c5c4ce677edf0427

SHA1
89d55a28b9f35b2df39c94ad0bfa9acdd6610931

SHA256
43e52d0cccad376f5b461ec8ec386aa12c705b19c9e2b6ecea376c6d4ee0314a

SHA512
2ad959583c1e4516dbd50cddccb11cf8de9a7a4abde16aad3555c85d9e74477a80fc967e6372417bace9258625e127ae83846faeef4dfd13d52cea82ceaa41b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\ZNZY1BXD.htm

Filesize
175KB

MD5
512dd23e39f66faabe6f67e177f0c8ab

SHA1
f471469414f7c121c02f263ec6f6c657bcbba590

SHA256
b6fc7fa48ce6fbf793c409cafa71203cc1967e5aecf94b76d0e47032aa9b13df

SHA512
8b3752579cf4f1fd0205bed2d275542567bdca9deb787febc9c1c384772cb8063d0f97123b225a57de59ce0482933b0dde6ef86bef0e84c8ae6c6651e152d615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\search[2].htm

Filesize
145KB

MD5
f419ff83ab523215551b941ea0d64f45

SHA1
24af197455c4edcb504230ad090734bcb8ce1a39

SHA256
835b40a3f0adb5330c18bdc26712124faf7f4f5f61f6c59aff567d8dc974f7be

SHA512
abf5574a6dd7ef8df5fe351111d0fbd976177298621e76f76b99207a7f6119fae265ce86b7556912f59896fbdd2c31e3c4e2cc2aa2e10454cd711ddc3c4845d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D1AP1AEC\search[2].htm

Filesize
115KB

MD5
649b26123d61a5024ba68aa5696e2226

SHA1
5e72cc211eeaa8ca30b110817ec75ab535958040

SHA256
c989020e7ecb3a51cdeb45b51881efc80c0bc0f365b5086d476ff592d70165dd

SHA512
7d4944d5905a4fd42bf1b98772dcf1b9237394160e2ae200ba224a31a3c6b905071f9e39ecc3fdd01cd7c8add324bb4b30fbf1714c2a3ee0e246a5fe1c00a62b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D1AP1AEC\search[6].htm

Filesize
118KB

MD5
adb0bd3a2624c2311a150030d0b3025b

SHA1
01c5d7459363437eaf2ad33d1becc4268044f7aa

SHA256
7ada4af5ae0e32832db22c760d872966de0b74165b60b71e8de5fe512e2274f4

SHA512
af292ec44f551d17a2a32814bf68786340a5d26f14e2abb7a9f881fe85424944365823201508fa630b35d885e042cc768396b926ee18592ad8bc2dd3f8885d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\search2SF9GM0H.htm

Filesize
149KB

MD5
3d0a85a2621ffb1d291a995d7344fe80

SHA1
db36c37f3e7fafa9df947f20a41702bd40baa975

SHA256
ae277e2e0d96087dc169671187c0e5e7673f7baa54d0354e87a89b00857dcd65

SHA512
5bae7a6762cfb36766829b6985121ca6e46b8cf13f6635af8ae6e13b37928b3f267f3c7ed043584f511cbf6a27d27ef3f48b36f7be408af58cebb72b58f610a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\search[6].htm

Filesize
137KB

MD5
625866cca3201ceaf11ce74c52453f59

SHA1
4440ee9f552e8894a1e4479893744135ce04ece0

SHA256
d99a3702510416d6395bedda09e5743ecdd8544d464fb44a44d0cd7af163683e

SHA512
92905e4f62dd960e3b8d8ca77012c5a78c7882d25a247f56eb1d4bcf5ac85cc95cf533536370a5eeaaf9e913f80d02043c9772a3cc2fc02e018776e28f49d09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\search[8].htm

Filesize
131KB

MD5
ade9f0f609bf4856738ea174fd5f1d7e

SHA1
343654670b20bdbe1668883366c6c86cff8e2811

SHA256
a96987cb27d555ab61ea07ac884d5e1b76585a596e4005f68b4b4b0a404e2699

SHA512
1db8b1488dc4e9cef7852177e51a6f71f479c34b023bf2271c1584e5852f875c8c25b38915e66af36568cf4ed3a3d8b0aedb31b701f8874f31bdce13d06a22a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1DB.tmp

Filesize
29KB

MD5
760d3d8871759d96e33bc6966ab50199

SHA1
0e9e8be596dba513b4e82efcda4642c9b258536b

SHA256
66598cecf7cf1d3c231e7d12c26396c9642e2ff2b98a6a1a0f9e081005a76c7d

SHA512
02fe14ffd963b971410c277c7cfec7e015b731fca40a665f5002fb6b7719cd677f14b5075168832f736d287e65f0759479d4cf7e43bcdf5b8ac0ccdbea29b208

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
2395f4e4abf2379618aa6f92a13e5c4b

SHA1
5679f5a63dbca8dcccf452022396a7b25f396e8f

SHA256
b612528c41ff1e42a81e368327c85dff951b7914a63c962844560382c8467d37

SHA512
8c7274b563655e607e372abb1960f4b667a3b901169d3567626e4760600c87462bfb4d287f0b63f8c4dfd49e08f82dac5b64b27276a79810053037b6c51bbc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
ab15aac38415426b2b17fe2a8811e899

SHA1
3edc23cdea3042f586a49a3388e6f238cadcde18

SHA256
5b5dcc0a42248b0ceab9534dd07ace0f5aaff3241bb821a2995d6c31e9060c9d

SHA512
3e753c9aac6479228419f32cc59b015aeed2806a1840e79dd0fb2ea2bfeebea5af047273c0348ee7219a234a63743c7ad8ca7a6d0dcd664db11c33d062403c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
69d8fe1d793cb8bf76ef79d6df323dfe

SHA1
5cc6017bf883577d28601c1aa15ad422c89b297f

SHA256
37762290872d3823fe1d3a3befe83516a9a13076ca0e3d1f8abe27db343f28c0

SHA512
726b2b71a225c08f95916f1bbe3ba2f233c47b299dd7b88666b7756782a6c4b46bfc895d5bbef3ac0ed7bfc023cd6f5f2c2e83cf657921be726bce0f9bc5d72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
a9810cb131fb08d80d9ff8a69e4825b0

SHA1
0519b2b2227303fa3d8b2012a4276245a99d1175

SHA256
08e7ba890594e9e5769592dc2b352963647436371d5d22473b1831f174397fc2

SHA512
9a1af64e849c8ab609d0b1da3bf4b7d5fd9bb2413dba2cce8d2fb50521c9bf484cf49f0b5635744293b9de9711684f1c829292eb1fa37d735e72297ce741734d

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/760-256-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-286-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-231-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-345-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-249-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-288-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/760-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1756-230-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-285-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-287-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-255-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-344-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-248-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-35-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1756-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads