eb73cb2d6b651342563e2e3dbca7eaa6d8fb656cb44b341500e17d70a595f3c6

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387dd85609fbc1c6957d0ae6031de560N.exe
Size

41KB
MD5

387dd85609fbc1c6957d0ae6031de560
SHA1

ad7709b6e9413db19ce8c59c69178e7c09c9ddc2
SHA256

eb73cb2d6b651342563e2e3dbca7eaa6d8fb656cb44b341500e17d70a595f3c6
SHA512

aecea133b6b77a06317b59a98f7980415c64cb87b84d63ceafbc810b6fd0841f3743bd2bc4a3cabced60e86210d366b5ad424c393fbe95a8d0bbe1d51a31ecec
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/e:AEwVs+0jNDY1qi/q2

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4420	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4376-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000023498-4.dat	upx
behavioral2/memory/4420-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4376-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4420-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4420-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4420-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4420-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4420-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4376-35-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4420-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c00000001e5ff-46.dat	upx
behavioral2/memory/4376-142-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4420-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4376-274-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4420-275-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4420-279-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4420-281-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4376-294-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4420-295-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	387dd85609fbc1c6957d0ae6031de560N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	387dd85609fbc1c6957d0ae6031de560N.exe
File opened for modification	C:\Windows\java.exe	387dd85609fbc1c6957d0ae6031de560N.exe
File created	C:\Windows\java.exe	387dd85609fbc1c6957d0ae6031de560N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4420	4376	387dd85609fbc1c6957d0ae6031de560N.exe	84
PID 4376 wrote to memory of 4420	4376	387dd85609fbc1c6957d0ae6031de560N.exe	84
PID 4376 wrote to memory of 4420	4376	387dd85609fbc1c6957d0ae6031de560N.exe	84

C:\Users\Admin\AppData\Local\Temp\387dd85609fbc1c6957d0ae6031de560N.exe
"C:\Users\Admin\AppData\Local\Temp\387dd85609fbc1c6957d0ae6031de560N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CWF229A2\A24Z1XLW.htm

Filesize
175KB

MD5
f71a1d2cbf3fabee8ed69a901001dc72

SHA1
5ccf1f21d8b6ee61f7f2966c614376acf5cb0e06

SHA256
642e371ab318d240489d63d9da7357e41d92456bf9155a06638ad11b48973e5f

SHA512
435034cfe9231c30bde024b7ae0a24fa4caa85c73823d1f7c45e31ba236ef6553fb176e88578af3724f1c4862acc51dd5be0cb9cde5490314e410e45ada3761e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMLLHXYA\search[8].htm

Filesize
142KB

MD5
5ce8a94eaf9655ae6a9b36093562001d

SHA1
8da6a2f91d0e9b1926d2bae63be4dc917d8dd7e1

SHA256
17ef4e5b6a3c2dd173600aa7cc90397d8ce918e20c812a2da4dcf59ed67838fc

SHA512
76ced1908826326be6c39ae80cc546a9a5b4c17961e86783dd4fa5cf1e79d46676f85641083e228bb9e4205f548eaac37baed91d98aafc180fc5b59e0f928f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q90VG4IN\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q90VG4IN\search[3].htm

Filesize
145KB

MD5
914716bea51b0a0bcf1842ae59642273

SHA1
826d6586a3e0e6c00bd2c11362d87d92d48902ec

SHA256
acff88f7403d3f3166b5a669cd56178395b435a0c57ff9595cef3f98143ed71f

SHA512
770a13a8e33bf31b49a5cecb94e92b60ff9aaf06650892ef95862d707eeecdcbbbe202e3a942ecdc969e6d55befc0d52326e4b1dc473355a348796270f2c57b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB1B9.tmp

Filesize
41KB

MD5
c05bcba29a1d0fbfd929e3a5a9294e28

SHA1
b6f57c3d0de378470dba1686b123e3118ca41d48

SHA256
7fac2e4de50c65e3ed2fd5953124ec1b976d3d7355dc7688dab192f268869ad3

SHA512
558c3279566a78224c6a6befd61155b60aa94a160615c5087fdd1ccad725f1f3092a6cfaf8f9a1659b41ebf63afe1d1f5f549a87d203ad87c434de25e6518f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
2cfa40014cc8afb2d5faee481a005807

SHA1
45df3739aeb0ec1607931884250605e4b226aabe

SHA256
1db53efc3126ad03d040815102bc10f5602c47129d26e953869629c05355015d

SHA512
a14d6d28450883e6c66fe1295b636184a14247403036730b52378b056cf654e68f2be6cfa3bd3ad458295ccbab28bba9c50f79f1344eecfe062eb9b072caa422

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
fbbef3a95b8610ccf8afde56f2ed54f8

SHA1
cc5e8738a65656b414e64da0967155565de17249

SHA256
3dcdafb56b0c6ee3a656a50093f69872f27cddd35615e36a86d1a249079d5dc5

SHA512
765731aadd1c737223b067b018819169c594549ae40b3cde4f89a668d728e84942ec5c1b3f546eba25a9dd695d64820d9ce88383e109db3e59dd382db16bec60

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
228a834b3680d4b3f84df7d49a61080e

SHA1
ad09ab380a7f83c7f222f06d8624f310ecbab8af

SHA256
b8fb70fa54bd6740f2068f173805cdae1a3bf5d13d72501122e1e1f4cec94902

SHA512
54783b9212691a6d7196e6f6c9ca3466b14727d3e79d2803445b92e3fb74edddcd4995234c5fc5d4121e5e57f16dcdc8bba0555ccf8448176d821dc822cde57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4376-274-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4376-142-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4376-35-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4376-294-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4376-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4376-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4420-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-275-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-279-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-281-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4420-295-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads