875e70d75af9f9b9793f5750c1f72a567bf04f5f90d0b9181b22adee71b64765

General

Target

e59c10ac40ed4a3303ee92e1df7644d7.exe
Size

29KB
MD5

e59c10ac40ed4a3303ee92e1df7644d7
SHA1

aa22bb25477048c28d281c7a88f930daef31af56
SHA256

875e70d75af9f9b9793f5750c1f72a567bf04f5f90d0b9181b22adee71b64765
SHA512

90811fccd5ba44643b988345ef29008c88a5ad7ce278a81aa8c66b5651e6b8370b741c4c884572abd06d1389adc1da0f51cc4d11cd98b836dfd50d5ea35237ed
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/p:AEwVs+0jNDY1qi/qR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4984	services.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4616-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000023214-4.dat	upx
behavioral2/memory/4984-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000023214-6.dat	upx
behavioral2/memory/4984-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4616-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4616-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4984-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4616-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000700000002323b-51.dat	upx
behavioral2/memory/4616-95-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4984-96-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	e59c10ac40ed4a3303ee92e1df7644d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	e59c10ac40ed4a3303ee92e1df7644d7.exe
File opened for modification	C:\Windows\java.exe	e59c10ac40ed4a3303ee92e1df7644d7.exe
File created	C:\Windows\java.exe	e59c10ac40ed4a3303ee92e1df7644d7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4984	4616	e59c10ac40ed4a3303ee92e1df7644d7.exe	21
PID 4616 wrote to memory of 4984	4616	e59c10ac40ed4a3303ee92e1df7644d7.exe	21
PID 4616 wrote to memory of 4984	4616	e59c10ac40ed4a3303ee92e1df7644d7.exe	21

C:\Users\Admin\AppData\Local\Temp\e59c10ac40ed4a3303ee92e1df7644d7.exe
"C:\Users\Admin\AppData\Local\Temp\e59c10ac40ed4a3303ee92e1df7644d7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VH9W14NQ\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE452.tmp

Filesize
29KB

MD5
3a0fd552a586bc58f2967b0081a39144

SHA1
9bb03f884eae1de2030693eeb7399f3b4fecc1da

SHA256
d1b85e6cd3b61f34d610a039fa763be887d06f9a9388fdfa8045b2e52613abc5

SHA512
93a0bdb76897dada6409e0e7c87c630b58d07010f32d49e947d519e7c5049f78a2431bb6ea9d5e42fdd7c0584e500420a7870ae4c2155672daf8c6a7aa491c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
f5d107e525d31efe9071fe1c92ae081a

SHA1
b5e19c95fc820318eca8a82c4d6c8dc9087302ea

SHA256
e65135e8660c703b500b6275c8bbb05d871cf912879ba0937473383403be34db

SHA512
b6d2987539b5e22cff37be68bfa5fbe3633e46eb0ec61d1df6a512fb9c7f85be559d9bfdd19de3e1301e28a98fb9b57965b8b14c2eb3a94e1c84d9520dcc6cb2

Download Submit
C:\Windows\services.exe

Filesize
6KB

MD5
de61db1a7c486fe8a01e05562655634d

SHA1
e751f409cb4a60a34b3d9e03c645bf8bff320b13

SHA256
66093fed46e4f4db2b892075fd4a0f6c06e4896d2ed69f3dad8bbb2bccc96aec

SHA512
0bc14996c51ce06a14528676122f3c400d2b99ddbe7620bc8c1eae4aa8f66a90931ee48f63275d9bbce60c1cc177356e6c48305234ed0402cff8cd5ce50e9957

Download Submit
C:\Windows\services.exe

Filesize
6KB

MD5
d073ee16ad5287b1f5f78edc643f267f

SHA1
657a8cd4f4f1ea1a70ade9ff6ba8278e59fd181c

SHA256
77beb05428a41ef827e77ee5af11dc7cbd62f53a4488db334b8794cd6b185edd

SHA512
25099bfb961b885fcc0223e9a0c570feaadd3cda0f67a3733b0e63f3cc8e3f542185bb3a013cca6f438385e145e4771ee8a62d7c69e76509638a8835ea545481

Download Submit
memory/4616-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4616-95-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4616-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4616-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4616-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4984-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4984-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads