5a7f6dd05ab47abdcd206ef0354f4db03c2b222a0ce4a2ced61275fd0bbc2754

General

Target

9b57f0da36f696f084f77117e90e06f9.exe
Size

28KB
MD5

9b57f0da36f696f084f77117e90e06f9
SHA1

c3c83a8f23aea7b360252f01a452b9db2209e153
SHA256

5a7f6dd05ab47abdcd206ef0354f4db03c2b222a0ce4a2ced61275fd0bbc2754
SHA512

e1c4a6603fd8a86215dfe43da61aa0b53e11917b0387a9dcd9aab51041c419754235c155219f7ec506cef096ee82f0e8c940dee8d45fa18bf7c0819ad46306d5
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNzv+C:Dv8IRRdsxq1DjJcqfMv+C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1364-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000d0000000122c2-7.dat	upx
behavioral1/memory/2236-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1364-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2236-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1364-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2236-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1364-59-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2236-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1364-64-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2236-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-75.dat	upx
behavioral1/memory/1364-83-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2236-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1364-87-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2236-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9b57f0da36f696f084f77117e90e06f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9b57f0da36f696f084f77117e90e06f9.exe
File opened for modification	C:\Windows\java.exe	9b57f0da36f696f084f77117e90e06f9.exe
File created	C:\Windows\java.exe	9b57f0da36f696f084f77117e90e06f9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2236	1364	9b57f0da36f696f084f77117e90e06f9.exe	28
PID 1364 wrote to memory of 2236	1364	9b57f0da36f696f084f77117e90e06f9.exe	28
PID 1364 wrote to memory of 2236	1364	9b57f0da36f696f084f77117e90e06f9.exe	28
PID 1364 wrote to memory of 2236	1364	9b57f0da36f696f084f77117e90e06f9.exe	28

C:\Users\Admin\AppData\Local\Temp\9b57f0da36f696f084f77117e90e06f9.exe
"C:\Users\Admin\AppData\Local\Temp\9b57f0da36f696f084f77117e90e06f9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\roa8y.log

Filesize
1KB

MD5
3f262392b35fc435c346bc71d2d4ae98

SHA1
f13349c25d8e037c7f5d1f0c5c51f0a361c94014

SHA256
28c76ce287799b8a6c75b41312021accf4372fb4256184e577825fddea9a2dbd

SHA512
be25ce92057b8c49ff0dcc3f06916fa011ea5e4aae6421b3fb1aedeb37e30a105fe0465f00b9513cdf9570fb119ffd48db11f82df94c3214771d023825482d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1103.tmp

Filesize
28KB

MD5
8ea70e3e69ad93c8275f53970f7ead7f

SHA1
2ef3c3b0a8f5718d9b9c1fe6fd855f0876bd8bb5

SHA256
1329ba63f2683e022c9fe6ff97929f9f3b4bb58e40ab1642a1f9b2614660b2d2

SHA512
0055a2f51dfe3212a17e4ef4a590f64ffc531fc64f5007b0ac1f244409346e3179d2d7fe1fd1c6f4fb41c900f1b744f94f0898b780597535dbc3eab8fbc85aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b7e2a23d160462824d3778cbdabdefda

SHA1
046fe30ec39c1622a6e0f1ca45762f9ca89ea447

SHA256
ee512c22d9e22bfc698115085aabc720104204f2e821688abbe7bfc49b785dc5

SHA512
c0917e8e991b3a176f747c946d94d95e9aa7217982460e3bba9ba6eeead1c070ed274972c43552952dde201b67a2c49c7635c9efc4edcb3d9b4c5b50dfd99884

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1364-83-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1364-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1364-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1364-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1364-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1364-87-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1364-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1364-64-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1364-59-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2236-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads