6d92a407d6e9cdd9b192ed6d44d605256d697853a70b4559161fb4ded5f003a0

General

Target

78c16c55c85f96d89832aa167999be4e.exe
Size

28KB
MD5

78c16c55c85f96d89832aa167999be4e
SHA1

724e8fc0f2f388b37a11b71672213e21d078d86a
SHA256

6d92a407d6e9cdd9b192ed6d44d605256d697853a70b4559161fb4ded5f003a0
SHA512

ac5b0cbd2dd4be2b6c448304fd91ac5ed02ca7eeeed0716651a20abf942a3ff804e597696d9932383829e6a7b4faf42889803dc6b603e5b9ed4c1a299e45af96
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNsGA4k:Dv8IRRdsxq1DjJcqfRGTk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2712-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000e0000000139ec-6.dat	upx
behavioral1/memory/3068-12-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2712-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3068-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3068-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2712-56-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3068-57-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2712-61-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3068-62-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-67.dat	upx
behavioral1/memory/2712-79-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3068-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2712-81-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3068-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2712-86-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/3068-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	78c16c55c85f96d89832aa167999be4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	78c16c55c85f96d89832aa167999be4e.exe
File opened for modification	C:\Windows\java.exe	78c16c55c85f96d89832aa167999be4e.exe
File created	C:\Windows\java.exe	78c16c55c85f96d89832aa167999be4e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 3068	2712	78c16c55c85f96d89832aa167999be4e.exe	28
PID 2712 wrote to memory of 3068	2712	78c16c55c85f96d89832aa167999be4e.exe	28
PID 2712 wrote to memory of 3068	2712	78c16c55c85f96d89832aa167999be4e.exe	28
PID 2712 wrote to memory of 3068	2712	78c16c55c85f96d89832aa167999be4e.exe	28

C:\Users\Admin\AppData\Local\Temp\78c16c55c85f96d89832aa167999be4e.exe
"C:\Users\Admin\AppData\Local\Temp\78c16c55c85f96d89832aa167999be4e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp

Filesize
28KB

MD5
592ae58d15c4c3cc317ac8408e23f2ea

SHA1
00389901ab572b98f70990bf0ede63159ef257f0

SHA256
05a36e44877f3317aac4bb453ac7f13a6265cb4cb524d8c8370a92a6dc1171dc

SHA512
d3bef2caa9418e49dd033395192f13ee99e633336360de3b17601a7f4977b4d2edcad1891cb2fac2124a3e08e3bc64d292e5162313850f082dae515452416d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymBX2kM6nH.log

Filesize
1KB

MD5
1f9232b16275b4f4cae2173934bcdeb1

SHA1
6b7005a8a72e569a6f5ea3e0674f4dc144b3feaf

SHA256
bff4a71ef0db5bd4e9179087dd0920cf59c3f0b25aa9ada17152b36025d04946

SHA512
26287e8e89d3e23e1d20d6b7ff16e81698de94f22a60af3c669cc8f8fef2eba736cc3c0060175499780a7426ade3172d539ba1fe6ddbc1f87228e14532c9aec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d055ce58ad2b5342675d008fecce23f2

SHA1
3075122a076f1f041c1f55d0666962c304fa1ec0

SHA256
7784298b1a4e4c98b73e3b7ea770772e8d601c243af9d50ee4126685f978ae36

SHA512
7a09f254a2712be71f4e8832083228ffb90bb7a2c4746b0d10ad99dfd9bea2e4351051eb06c8885f9675f95e4ab1ea8e4e0b8d3472bafbd766b48bb3adca6327

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2712-10-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2712-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2712-81-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2712-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2712-24-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2712-25-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2712-79-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2712-86-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2712-9-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2712-61-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2712-56-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3068-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads