9e8e0d036c7f457a147b93a3f6334032bebabdf7843568231929e0e08f68ebb6

General

Target

33846b1b52ba0d548750a0a01c829291.exe
Size

40KB
MD5

33846b1b52ba0d548750a0a01c829291
SHA1

1cf387f0d21f778953447884bd316a94617fe471
SHA256

9e8e0d036c7f457a147b93a3f6334032bebabdf7843568231929e0e08f68ebb6
SHA512

d636f1de591f202940dadcb8fd9ef0552a81bc80b7421427880eb1e3a480d0e7921e32f619654b444e2faff7c53ef87fc2c49917675a2e6e1bc2087931041214
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHqb:aqk/Zdic/qjh8w19JDHqb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2824-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000d000000012353-8.dat	upx
behavioral1/memory/2824-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2824-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	33846b1b52ba0d548750a0a01c829291.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	33846b1b52ba0d548750a0a01c829291.exe
File opened for modification	C:\Windows\java.exe	33846b1b52ba0d548750a0a01c829291.exe
File created	C:\Windows\java.exe	33846b1b52ba0d548750a0a01c829291.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2824	356	33846b1b52ba0d548750a0a01c829291.exe	16
PID 356 wrote to memory of 2824	356	33846b1b52ba0d548750a0a01c829291.exe	16
PID 356 wrote to memory of 2824	356	33846b1b52ba0d548750a0a01c829291.exe	16
PID 356 wrote to memory of 2824	356	33846b1b52ba0d548750a0a01c829291.exe	16

C:\Users\Admin\AppData\Local\Temp\33846b1b52ba0d548750a0a01c829291.exe
"C:\Users\Admin\AppData\Local\Temp\33846b1b52ba0d548750a0a01c829291.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab577D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60F7.tmp

Filesize
40KB

MD5
56a8ed5be3ff4f08339e4381a3509bf8

SHA1
632bac0f2e2277545ffe71e62589e248f67d7578

SHA256
eaa2de7e0b604fca181098820f3f63530c42c4c0aa886f7bc955f9602ca64a41

SHA512
802878179b1c57326e7f4488a2821a68d5de87ff2bb090fd0cacbf093b663719fce7a66dd263920c57b25d4d530d12a0b22be748b5c3160ef26dfcef618b2219

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
95e85e891a2da5b12052ff99b08b45ed

SHA1
f9c7f3371305f9cbcb54122a874ac4c16ec826ce

SHA256
51555eaf625f6e0fed178d4de456bfa4b6b040bdb0f2e464f59f61a5205ef543

SHA512
ca174890929326a69f0eb6458b55c644793ae8e10528c0d93e21af3d51dee41e76895a39a575ae7a288e224c920d028be5435f0b941a9d6581a62fcaed0a81a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7baafce5413a3d2cae8b3e86c94c9880

SHA1
b3f3324f03c8e5bff85c7f5da352e78bb3f5b98b

SHA256
c4b88a5322bec92af0dbcea54efb57fc2e2cea38f7827239e6a6c6ffefa5333c

SHA512
66cb23132016e9ca096f68bb5f5f6819ac3b784f421dc811b4e6ee2d11d22a41d92a46300315802b67dc585eb4e07cb2abd010d4e009080573612e04089c15ed

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/356-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/356-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/356-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/356-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/356-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2824-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads