af580ef64c6119dbf780556ed6ccfbad172797243e93025166f9b7cb1d4c02b9

General

Target

1fd8180ec205daa3b04d0c717317e09d.exe
Size

40KB
MD5

1fd8180ec205daa3b04d0c717317e09d
SHA1

0c53f50044424c337cd6ea506824c33fbc88bc56
SHA256

af580ef64c6119dbf780556ed6ccfbad172797243e93025166f9b7cb1d4c02b9
SHA512

063321b025cae58382dfb67cb60f58576666e872538a33ca370d33ad12f60629f1f14e3242149a3638ca5ba2b4ae1ae29e6b5329aa0c7dae72a622b409e79c20
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHeFJS:aqk/Zdic/qjh8w19JDHiS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012270-7.dat	upx
behavioral1/memory/2088-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2376-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-59-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2376-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1fd8180ec205daa3b04d0c717317e09d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	1fd8180ec205daa3b04d0c717317e09d.exe
File opened for modification	C:\Windows\java.exe	1fd8180ec205daa3b04d0c717317e09d.exe
File created	C:\Windows\java.exe	1fd8180ec205daa3b04d0c717317e09d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2376	2088	1fd8180ec205daa3b04d0c717317e09d.exe	28
PID 2088 wrote to memory of 2376	2088	1fd8180ec205daa3b04d0c717317e09d.exe	28
PID 2088 wrote to memory of 2376	2088	1fd8180ec205daa3b04d0c717317e09d.exe	28
PID 2088 wrote to memory of 2376	2088	1fd8180ec205daa3b04d0c717317e09d.exe	28

C:\Users\Admin\AppData\Local\Temp\1fd8180ec205daa3b04d0c717317e09d.exe
"C:\Users\Admin\AppData\Local\Temp\1fd8180ec205daa3b04d0c717317e09d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp909E.tmp

Filesize
40KB

MD5
ffed7b035deffb18071ea9ee4eba1e5f

SHA1
9391b99cc0daa5ed60395d2b3f5e6a5a50fbd95e

SHA256
1813373ac2ecbd457de29316e172942288194e0a20d2937b24bcedfbdea189f6

SHA512
2ea26f04690b10678791906be0278e90ae83c346504f197c0285267eb76e03375fea29f6b75e8d2504c6c12c5bc02fb910d6dd5374c383fb47953bf672d130e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d3412cb9205371483438151f96ffe00d

SHA1
52d8d0382d1185fd4dfdefb6862ced01f70ce51c

SHA256
b91acbef416a566a6cdfcb67f90279747f72bf5c03df8a805b4b6232d1558e2d

SHA512
fc1fb85423a666dbc4002ac872b09549b965ba17f43397c497662514b5b888b86d3b87ca1a1b63a12508f85dc1755cc8b1941ec9736fdab7f8c76747eece6c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d634e12d43a9e359208ac53a568e3028

SHA1
e41b40921644e452af213a4a74090a00c8bfebcc

SHA256
2101b06953f72bd961b072f09d602774bf990ae2cb7a752b3e0950faae34603e

SHA512
ceea8e1eb8833ce48eb93175d81110ceb443e1103a26f692d44c565a050133d5b1d8ba904556b7249f686c425a15fceeaefb55e82fa869e3746cf2a3364822c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2088-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2088-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2088-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2088-21-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2088-22-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2376-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads