b3009912e46d74ca0aa16b9292270cd6569fe73718d1ec338d367eff894cb81e

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77814dece026f1ee88afb53a3ffe7ca0N.exe
Size

41KB
MD5

77814dece026f1ee88afb53a3ffe7ca0
SHA1

88307ad664f2f29177d97cec25ea35deea224ce4
SHA256

b3009912e46d74ca0aa16b9292270cd6569fe73718d1ec338d367eff894cb81e
SHA512

15fc31ae34d20f8c79c7733a2f0d0b50e88b6f877611bb2334284be2cff1becfdc4c27ebeb223595d76bec53acafc214ab8af7e62a3fc3bf81df5d6a147bfb35
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1516	services.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1220-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00080000000234b6-4.dat	upx
behavioral2/memory/1516-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1220-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1516-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1220-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1516-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00090000000234d0-48.dat	upx
behavioral2/memory/1220-164-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1516-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1220-264-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1516-265-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1516-270-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	77814dece026f1ee88afb53a3ffe7ca0N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	77814dece026f1ee88afb53a3ffe7ca0N.exe
File opened for modification	C:\Windows\java.exe	77814dece026f1ee88afb53a3ffe7ca0N.exe
File created	C:\Windows\java.exe	77814dece026f1ee88afb53a3ffe7ca0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1516	1220	77814dece026f1ee88afb53a3ffe7ca0N.exe	83
PID 1220 wrote to memory of 1516	1220	77814dece026f1ee88afb53a3ffe7ca0N.exe	83
PID 1220 wrote to memory of 1516	1220	77814dece026f1ee88afb53a3ffe7ca0N.exe	83

C:\Users\Admin\AppData\Local\Temp\77814dece026f1ee88afb53a3ffe7ca0N.exe
"C:\Users\Admin\AppData\Local\Temp\77814dece026f1ee88afb53a3ffe7ca0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\search[7].htm

Filesize
118KB

MD5
b51d1ba4cc18a323f99a9f0e56831b22

SHA1
07c3d529c63c32b5d02cd83b4c4e407237e20afa

SHA256
7587b689908650b60af323557a200d209b59bd51b05d3ecf6f748d52c197eb3f

SHA512
fa85b86035a086d59febfef37534ee90b6a77767ac3a773f4645a652142314e79db2c7c8c93c9954490d9a7c998c91d95d056aa04fa86844254e168a3d7df263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\0OFQQHS6.htm

Filesize
175KB

MD5
99ae6c8f4b73b430e3b2f5cc691e904c

SHA1
09576aea062049a011be720805e74cba9d841d97

SHA256
3b6f8f28b3af8ea54b0b4369ee373f080d65af1e21beeaccda467ff9f179a7d2

SHA512
b63fca76b1880361c854c89e3658a3f7e77f191a4f0a1bb2dca6bd8976e90736d0189015c32a78fefc601d4548b310cf68d380c54205091c4c6c3e2d63e51531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\LHGYERH2.htm

Filesize
175KB

MD5
00ad89c5fb918b28724a21ece3903b8c

SHA1
e4d9370d0f4688fc8721cc00e3d5494c4812ab5d

SHA256
56b26bb13b77f2b3cfac30ef9aecf1b0728e33dea620621c0fdc58664b623719

SHA512
24d322a69087fb0c985307930ff401e262f24f5e5a355382d8655d1612ff4dc551c4bddbbc705e6022c90809400e0a9f57984698cd1e2abcdb9b2778f0dd90cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\search[3].htm

Filesize
121KB

MD5
360f36d924df1f0dc63c371c54eff41a

SHA1
64c905dadff7a2a49b9fa83a8d45dd24295a1b9a

SHA256
46830b63539a7bf49fc24a8daf2eac2c1d3ce513416b2afe85e280a68a26d6fb

SHA512
f6e7696686655f3fd0d9619550fcf84f8b4652db1e652932f5ce8356d22112b9c49c75943491d12d165b5f1c9d131c507b7f63902bd406ecd5630d7fb69502d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YFAWXPEZ\search[2].htm

Filesize
145KB

MD5
e7d99f97886c1b30274c2a95521a5da4

SHA1
f1a396d6cde018200da31dce9ff44f80670c91fb

SHA256
c1c700316449465513e5bb787fbfaf0522b70a8a5f81f168e33fa3043c751435

SHA512
ddf162b58cd3a5ffdb3fdc88bb727bd29cf3cfe425b68732ee059bb02360c268e9b0aaa30e2058b92e42edd1c1e2d47174090f42163991581bcc856c9eada872

Download Submit
C:\Users\Admin\AppData\Local\Temp\fopgsb.log

Filesize
128B

MD5
0d9db602f5dbae658a7145d5363c2c3e

SHA1
25ea497e86475d16191351e489be03a0dff1f1ae

SHA256
d0ded88f04865a51f5fdc75c51ffea44995c54d106b15b93c127db7a7984fd5a

SHA512
7bb671d8fb141ab9e2d9a4420971574d844a160a76f3f0d687c32eaae2f03cd2a63ed91fb935b999b3362f1ba0e7d42a3fbed4960cdafa92aeedb8d523b14eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEBE.tmp

Filesize
41KB

MD5
00f3d85014dc2bcd3f1dfdc12c4590d6

SHA1
bb7b12265b181082f154ffee41469081364d3eaf

SHA256
dd05d143c3ed3baa5ad5850514b1b2fc63679c64e19617c3bab6507de686c5de

SHA512
a1039cd2f533afbb9f7704c4c0f62e457cea04acd80cec520fc766a48895ad8745d33e5c0157915bd1d9b13dd9b64816f75eb19f64c53a9d7ba0771e5292b9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
86db039b3e9cb7df8ca3159913592183

SHA1
674c8abb849b272413b849cdaecc981d72fb2137

SHA256
2a0260ebc256e186c9fe61555022093e7118751c85fb0cb447709843f6a47363

SHA512
61c61adcafa434607b3a512b5192489c6d29be22fb9e4b7fcbf0957bad5bec75449e4a4a80a66ba6362dd5b86a222ace29b143195c2696d090b51bded759bcfa

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1220-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1220-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1220-164-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1220-264-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1220-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1516-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-265-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1516-270-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads