25cde21d4af68b0c02e82e0970546d7676b49cf5571ee31a0a8f5fc993102b73

General

Target

7e1dc6c1672136881d28b29f6099d3cf.exe
Size

40KB
MD5

7e1dc6c1672136881d28b29f6099d3cf
SHA1

7201dc4c68729aa2f6ddf957d58b22d6a1872e32
SHA256

25cde21d4af68b0c02e82e0970546d7676b49cf5571ee31a0a8f5fc993102b73
SHA512

7f2652c97121922e6b8392093f55823256345baacdd95eb8381f3ef4b02a595935cdfb087dd2d1d0b93160f30aab8e95f13c52d3efc84a0529d3d0ee6cb2d2ad
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHQ/A:aqk/Zdic/qjh8w19JDHv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1772	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023130-4.dat	upx
behavioral2/memory/1772-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-202-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-203-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-206-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1772-210-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	7e1dc6c1672136881d28b29f6099d3cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	7e1dc6c1672136881d28b29f6099d3cf.exe
File opened for modification	C:\Windows\java.exe	7e1dc6c1672136881d28b29f6099d3cf.exe
File created	C:\Windows\java.exe	7e1dc6c1672136881d28b29f6099d3cf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 1772	208	7e1dc6c1672136881d28b29f6099d3cf.exe	84
PID 208 wrote to memory of 1772	208	7e1dc6c1672136881d28b29f6099d3cf.exe	84
PID 208 wrote to memory of 1772	208	7e1dc6c1672136881d28b29f6099d3cf.exe	84

C:\Users\Admin\AppData\Local\Temp\7e1dc6c1672136881d28b29f6099d3cf.exe
"C:\Users\Admin\AppData\Local\Temp\7e1dc6c1672136881d28b29f6099d3cf.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\PK0AFICR.htm

Filesize
147KB

MD5
33515692a1204f106af308bf8615dd39

SHA1
234d6a9829a906c3ff14baa730841d0d3acadb6d

SHA256
22201b72a7ed50cde34e482375777bd8740960535bdeea97c875b1e280672645

SHA512
1ca769abc3fcebc104283f0bc8db923fb89e778da6f309973c20a2c2cb1356ef756c68d1f4ac45bf63326b253c9c1ae3d5fd5849c4d204467a589aaf0b2e871a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\UJ51498X.htm

Filesize
147KB

MD5
21ecd9fde3de93fce2027f890faa7e60

SHA1
76f378a621e14ae104815ef4643df89c619e9a26

SHA256
5430dcb3b54106ad493f9b144fb3dde190402da0d470f4f18e39f3ea3b263330

SHA512
41488179a952daf02d2522eb64aea6ca9e915bea67afad19f9f571e0a31f6e71b8a935f1aec07fcd2699c12f115b96c5be00a21036a2e378a63f72d67fcdbd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp35BE.tmp

Filesize
40KB

MD5
38fd5009778be0c5fa3cd1a7a4d72cf8

SHA1
a3563a2a02041263e783b6bc2c6e919c9ea6c20c

SHA256
8121cf75a216213a29f3292f992f15a978c72f515b416a75be8cf295c8f85e42

SHA512
6a392d9175f413621e2c15fa229e9c44eecfd0549d4beea522d54345b69eef8cee3047002e7c0bc98460fdc3e02ae54f2a8fcf2c9f75a7207954716224cdc3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a9de4c95ab2fe7a6c8d4f41774c0619c

SHA1
ba2c41eb2a13ffbf96a043532a88ca9d9d95508f

SHA256
64989be07098bb5b3b5c11cb7a4cbb599dd5662912e095817c44638a6a286d51

SHA512
193d336a28e1b179e91d68368948da67bac7e77b3fce789b1fdd5feb9dbd3b33ed81a4170dd73a055323074de14007b531a5d8460e2ece628113077979bc70a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
72f0d3eb69156887906262ba57a6622a

SHA1
961708be2b3d953d214dd4adad8d1a22d495c080

SHA256
3b51c59d774df172800cb49e8f5bc5a8a7ea25113f2b42f17f13e762ffec29c6

SHA512
1a2add0e19a929b5b1018ee66f30f70ed977a1efc251c62124b7cc59212998c326752e517b87e4f559420a6cc8dab6ca6885fe4b61e0a2126fe4477c24ae4f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
25258ed6de7f8ba99d4bad96dc4b9e33

SHA1
02d6d90f7b593bb0a0dc6194b1e757f2cf49d748

SHA256
db76d94161f19548bd466f0f2f76e6135f90475bdabd09bb66d8d3ad56d17dba

SHA512
204197117ce3be656852d26ac18bf38d4c94e74c32c952950df36b82b429ddc42a24b1dac3340ad9abab81c70e74e4f77935c41647e068f920743d843be2c010

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/208-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/1772-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-203-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-210-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1772-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads