bee98e6d577fbcf0422f0fa2649d0f1aacfeacf20b14f7d80d426fd950aec93b

General

Target

fe6a93370addc8d5b7fb3698e7211b3e.exe
Size

40KB
MD5

fe6a93370addc8d5b7fb3698e7211b3e
SHA1

311b70c53191446d7183f97f7d662e5973c9f73d
SHA256

bee98e6d577fbcf0422f0fa2649d0f1aacfeacf20b14f7d80d426fd950aec93b
SHA512

8ae17665f69ce5b5c63ff2cdff18a240d04bc849dfd20b9c2ebadacf256b20fdc790a89ee7af1067dcb644661782a9dbe0115c7e7af72a8c5714406e0e5c4a2a
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH+XWDC:aqk/Zdic/qjh8w19JDH+XWDC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1772	services.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1772-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-120-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-147-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	fe6a93370addc8d5b7fb3698e7211b3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	fe6a93370addc8d5b7fb3698e7211b3e.exe
File created	C:\Windows\services.exe	fe6a93370addc8d5b7fb3698e7211b3e.exe
File opened for modification	C:\Windows\java.exe	fe6a93370addc8d5b7fb3698e7211b3e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1772	1248	fe6a93370addc8d5b7fb3698e7211b3e.exe	18
PID 1248 wrote to memory of 1772	1248	fe6a93370addc8d5b7fb3698e7211b3e.exe	18
PID 1248 wrote to memory of 1772	1248	fe6a93370addc8d5b7fb3698e7211b3e.exe	18

C:\Users\Admin\AppData\Local\Temp\fe6a93370addc8d5b7fb3698e7211b3e.exe
"C:\Users\Admin\AppData\Local\Temp\fe6a93370addc8d5b7fb3698e7211b3e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54B5.tmp

Filesize
40KB

MD5
ce44e6c86720a7a9fcbeed9e414de1fa

SHA1
94f7855c803f2977cad97500ff278f1f656eb777

SHA256
7d255ee3f03267dd436fec05220c42ebc7150726b02f8dcdf270edee86aaa3e8

SHA512
1280c07d00d2c11c38248d0586bc3ef5f98e2759833d21e11a7288e1f235b11c6c52a2aae9c62732446786f559fe3d50a89c25ca9a2d0aa05b91de3379a29bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
344ec6a253f48adae43da3aea4bc88da

SHA1
eff4678c5563239107c65a9aae4ce74179802f46

SHA256
9886f6dfc121145a7beb6599c4c6b38498e13b5ebfa0e7a2280630f2bbda5671

SHA512
0a7ae88db02982aa01994b75a22ad1597b6b7a98c9a0fa5deb2f869939e62eddd793429a99c016a52d5f9102df0be18bca51b5673fd7575f6678be34dee5ab6a

Download Submit
memory/1248-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/1772-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-120-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-147-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-263-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads