7f913dbddc0a7f5ec51c49a3fc44db218e70708014ee9afb6b702e4a859a68a1

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ac0e99ec73d37b4d1628493f5ea0d30N.exe
Size

29KB
MD5

7ac0e99ec73d37b4d1628493f5ea0d30
SHA1

ea549e3dbd0503a5b56c40878323df65453ecdd9
SHA256

7f913dbddc0a7f5ec51c49a3fc44db218e70708014ee9afb6b702e4a859a68a1
SHA512

0e8904745c3b074d195e17f27688d4a21f7dfa6885f2cacab6a1f2146f1ad2c5571488dc2a365e2cb1383092f1cb27a3f7aa919914ce682b80f47aec614c3247
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/xP:AEwVs+0jNDY1qi/qF

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/536-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00080000000234d4-4.dat	upx
behavioral2/memory/1480-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1480-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1480-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1480-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1480-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1480-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1480-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-36-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1480-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000f000000023415-47.dat	upx
behavioral2/memory/536-92-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1480-93-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-231-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1480-271-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-297-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1480-298-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1480-300-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-304-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1480-305-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	7ac0e99ec73d37b4d1628493f5ea0d30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	7ac0e99ec73d37b4d1628493f5ea0d30N.exe
File opened for modification	C:\Windows\java.exe	7ac0e99ec73d37b4d1628493f5ea0d30N.exe
File created	C:\Windows\java.exe	7ac0e99ec73d37b4d1628493f5ea0d30N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ac0e99ec73d37b4d1628493f5ea0d30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1480	536	7ac0e99ec73d37b4d1628493f5ea0d30N.exe	83
PID 536 wrote to memory of 1480	536	7ac0e99ec73d37b4d1628493f5ea0d30N.exe	83
PID 536 wrote to memory of 1480	536	7ac0e99ec73d37b4d1628493f5ea0d30N.exe	83

C:\Users\Admin\AppData\Local\Temp\7ac0e99ec73d37b4d1628493f5ea0d30N.exe
"C:\Users\Admin\AppData\Local\Temp\7ac0e99ec73d37b4d1628493f5ea0d30N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9X9HPJHY\KC73N72U.htm

Filesize
175KB

MD5
732e7b044e66c78e46ea2d1a85e248dc

SHA1
52d4cba7923a4738d082433ba421606202a85d1e

SHA256
676f258e7347daf118683afb55a298a38c285d40f03852f0897476bf30aa852b

SHA512
d1ff548ae95b111c848274c07f8f2a3dc931b93a8fc44c718657b61a7411df20b2cc4bde93517110ab6e90ebb573c3aae8bf22f696e3231238723f83ec0f5990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SN5O4Q15\search[4].htm

Filesize
133KB

MD5
7f1fbc51acaf41febcb5a748dd50cf54

SHA1
d553ff5192f4102c37348260ec8a0982469a8a71

SHA256
2086696388bd0483f1b69d41fe28ee9dd8719576ee187fa89335b3d6c0a900fa

SHA512
dc48804eaded0d66e640ce6301e3c903a52ed64ea5018b72ee1304514d137350736be35a508029e728138e8b9852a730f29096c721e9e86d1d8789764b31e502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SN5O4Q15\search[5].htm

Filesize
124KB

MD5
b174554c3c63ae2004cb26ae0f9da35f

SHA1
22aa461823d8f56eae744f205e78ab1d77931baa

SHA256
c990d8543605e39720e2d5316a455a4c13a378104a48c9ecddd3f265cf218f1d

SHA512
fa6849be87ec380a70ebe5d39b20ecb4a51cd2c408f534df7f6d0d5a30a93516a96f20cd8774bd3cf5948b119ccfa4451599cb00d0af1e675340de83efe0cf95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W4K3IOC2\results[1].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W4K3IOC2\results[3].htm

Filesize
1KB

MD5
35a826c9d92a048812533924ecc2d036

SHA1
cc2d0c7849ea5f36532958d31a823e95de787d93

SHA256
0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

SHA512
fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W4K3IOC2\searchMNMZ0V39.htm

Filesize
162KB

MD5
4b36570e0f66163b178644022fb348fa

SHA1
f6965b2da40c8ef337798596768737575333b5e3

SHA256
dfa140c256f801bbeaefe42eeeb9f2bc691d7e2a7d812088698803b69db223d3

SHA512
b57ae8ca6ee746d0a2959f5486c8f4bdf59b05e4f72c8b2942d61123d00b5ff8e36620c05151f63b8695fa8dfda0cc2fbd67f8d298ff9ab86061f5d96677d5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W4K3IOC2\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFB1.tmp

Filesize
29KB

MD5
7ac0e99ec73d37b4d1628493f5ea0d30

SHA1
ea549e3dbd0503a5b56c40878323df65453ecdd9

SHA256
7f913dbddc0a7f5ec51c49a3fc44db218e70708014ee9afb6b702e4a859a68a1

SHA512
0e8904745c3b074d195e17f27688d4a21f7dfa6885f2cacab6a1f2146f1ad2c5571488dc2a365e2cb1383092f1cb27a3f7aa919914ce682b80f47aec614c3247

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
d9d34144461d45a9a6c9f776a093076f

SHA1
7ed74910327b4d32273cc0bef3903608205f7a27

SHA256
1861a08d974dd41b362d77e839c52c9888a621466fd3cececacedbfd6889b8f2

SHA512
b8a5b9cddaa7bcdf7882eb6e4119a52e38eab2034ef2fe3c5e921c67213df4ea3cd1ed94b28bb0733b5c2eaf0695f9413c96c9a552314a383d40d61cd0b46059

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
c8ba5da83bad462088381da152c525a0

SHA1
39286276195a80c28107d81e50872c1b1583aed2

SHA256
1ce450e3921e971d76fa8481cbb74d4c40d9754d859fdf79bc71b69fabb50bf9

SHA512
7961ce3f47a3eb8c86edc88ff4b21bea947a98d9fb764647f5bbb15dbbbb1ee35253336756d801be9d56a2b3d33d66222c1c6cf3ddbbe34b74effcbe41457602

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
155086e38f639cfdc9c06887295c9151

SHA1
f1275edc16c3fcd885787074630ab84a45e62b00

SHA256
f426c4bdcd6ac423ba06b4a146e87ae76e2cd43d6429048afe5efccee5514702

SHA512
b51e03b0477b0ad5d019de99effa03388b1371a1e19d2ba4e389c73d256a31798275dce8b506413533a8f04f3648d6e27fd3cf4e563351e3717afa5d67277b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
9ae9dca5e040b8b5e088083a4f569c2c

SHA1
77b4677a043e92a84f55028842500577baee1f9a

SHA256
91cfb3219eb557f205982f5e29f904f21cd8234ad5a7a1b7fe8547628bd3a66c

SHA512
79e5515a455134cda5e49a217ce448ec340f53234d3e9932bfb671931fd050439c9d8cc50e98a50b8f810876fcd4baead32311191ccf1f218e68e785183b3679

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/536-297-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/536-231-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/536-36-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/536-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/536-304-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/536-92-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/536-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1480-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-271-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-298-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-300-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-305-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1480-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads