4d99633e3b304e00e8913e0a9637322aa54b0e161b33ec45b172caa3a9891e8e

General

Target

6c16e5780ffd51afc4426f266cc35fb7.exe
Size

40KB
MD5

6c16e5780ffd51afc4426f266cc35fb7
SHA1

87107bb2959a9b67555a402a7eb20d664f611d82
SHA256

4d99633e3b304e00e8913e0a9637322aa54b0e161b33ec45b172caa3a9891e8e
SHA512

021a0ea45dd576010a29b6abd0c064c45fb78df45f8d6342ce5aeeb24100b0b24285c2084b727a3560497a0f81b71d5b4efd08d416ae993c9509af21b5cba141
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHQM:aqk/Zdic/qjh8w19JDHQM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4880	services.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000023219-4.dat	upx
behavioral2/memory/4880-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-107-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-133-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4880-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6c16e5780ffd51afc4426f266cc35fb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	6c16e5780ffd51afc4426f266cc35fb7.exe
File created	C:\Windows\services.exe	6c16e5780ffd51afc4426f266cc35fb7.exe
File opened for modification	C:\Windows\java.exe	6c16e5780ffd51afc4426f266cc35fb7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4880	3668	6c16e5780ffd51afc4426f266cc35fb7.exe	90
PID 3668 wrote to memory of 4880	3668	6c16e5780ffd51afc4426f266cc35fb7.exe	90
PID 3668 wrote to memory of 4880	3668	6c16e5780ffd51afc4426f266cc35fb7.exe	90

C:\Users\Admin\AppData\Local\Temp\6c16e5780ffd51afc4426f266cc35fb7.exe
"C:\Users\Admin\AppData\Local\Temp\6c16e5780ffd51afc4426f266cc35fb7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BP0ZYM9B\default[8].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\default[1].htm

Filesize
312B

MD5
5431b34b55fc2e8dfe8e2e977e26e6b5

SHA1
87cf8feeb854e523871271b6f5634576de3e7c40

SHA256
3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432

SHA512
6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE388.tmp

Filesize
40KB

MD5
06caad9200e4f2a82cd8d3a1a239c51b

SHA1
eefd2378a35ca496266b1a78b7c8d9671520a39c

SHA256
225920bb9a7cab967e881542eb3818a3ed57b285f35514cfe8713793cbf1e2a5

SHA512
56998ebee4b5fba211a007fd4a7ae3d813024d52e3e46cd762db0405e14eebc6824c9be483852349f2d69d8b7efe67682d4d752a02ea8ea1fb056f94e170890f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b0edb1c04b457d49c68577db40a4a983

SHA1
401145505a3bd97d9125a9aded70116e9ac810e7

SHA256
571dc8ba7d41dcaae138bf3677d34a10088e58c59d8532d20744d82d62510f97

SHA512
7e591f059d7015c4a2b8166bcf0cc9b322ada8f3d7b3696ce2e76eb1bb0b19a6ccd8e4d4199d3cec7b6853f034933b33c47786fcc1a91f6592d7be5d96d8a014

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3668-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4880-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-107-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-225-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads