5a7f6dd05ab47abdcd206ef0354f4db03c2b222a0ce4a2ced61275fd0bbc2754

General

Target

9b57f0da36f696f084f77117e90e06f9.exe
Size

28KB
MD5

9b57f0da36f696f084f77117e90e06f9
SHA1

c3c83a8f23aea7b360252f01a452b9db2209e153
SHA256

5a7f6dd05ab47abdcd206ef0354f4db03c2b222a0ce4a2ced61275fd0bbc2754
SHA512

e1c4a6603fd8a86215dfe43da61aa0b53e11917b0387a9dcd9aab51041c419754235c155219f7ec506cef096ee82f0e8c940dee8d45fa18bf7c0819ad46306d5
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNzv+C:Dv8IRRdsxq1DjJcqfMv+C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4800	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2444-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000800000002320f-4.dat	upx
behavioral2/memory/4800-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2444-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4800-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2444-47-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4800-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2444-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4800-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000705-60.dat	upx
behavioral2/memory/2444-164-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4800-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2444-183-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4800-184-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4800-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2444-190-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4800-191-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9b57f0da36f696f084f77117e90e06f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9b57f0da36f696f084f77117e90e06f9.exe
File opened for modification	C:\Windows\java.exe	9b57f0da36f696f084f77117e90e06f9.exe
File created	C:\Windows\java.exe	9b57f0da36f696f084f77117e90e06f9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4800	2444	9b57f0da36f696f084f77117e90e06f9.exe	86
PID 2444 wrote to memory of 4800	2444	9b57f0da36f696f084f77117e90e06f9.exe	86
PID 2444 wrote to memory of 4800	2444	9b57f0da36f696f084f77117e90e06f9.exe	86

C:\Users\Admin\AppData\Local\Temp\9b57f0da36f696f084f77117e90e06f9.exe
"C:\Users\Admin\AppData\Local\Temp\9b57f0da36f696f084f77117e90e06f9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RVXHSNZG\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAFC.tmp

Filesize
28KB

MD5
1bcf50f955b3c1fc1649ec903ec2ce28

SHA1
1fdcd8086109ae556f7aaf06d02e0fad7fb171f9

SHA256
cfe5bea7ffab8e3d7f3539a304842091b24954bb238076921e46bc5091c398ce

SHA512
32fc09c2436390d2289b9f65e692c05a079c6e16a518e85e631db6d45a53433979e9a98cb994c810c5d85b38401a36c20b1c489cd14684e8fa2a676438402795

Download Submit
C:\Users\Admin\AppData\Local\Temp\wintf.log

Filesize
1KB

MD5
6ae54df94af86b9adae29172ee0fe4b8

SHA1
b6e9dc044916a4bdeb57f99bdffdf3a7c3548af7

SHA256
3eec9d8caa3508acf32cb4c20a75b172dfef0cccc303de2d425930b3d5671b3e

SHA512
8903de65d7147252fb58591f5c38dcc8cad90521e60a46c6ccd24dee2472e989a9ebc6e68e9a3d9b9319c0adfd2c0aaa27ae17dd662b775f6361fa407c8991f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
8157e73a7e83279931e7435e6e0a773e

SHA1
87aef59ff0e180b406fa437148fb2afd4f05440c

SHA256
ae074b7074f0295d6db815aa3574be91f46cf036ca1a0f90b5aa1141c36f0070

SHA512
ba1bb5fac8152bc2db520fc1c1f10cf2d1596535ce1c545c688b563a2cd6d2d81b55e779792f8cf0635ce81679539e9d8ea13542ec585551872f7dcff2fbdcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
daf8c71113c01f95111b572b90698839

SHA1
632a1819d56c525b0c6e13bca0b63443b8692a19

SHA256
037e219fef552f9a816cb963f8b274bfc0d664449872030bcf18d1fc36b948de

SHA512
6ce95da4317552f8ae7493c7749afebfee00ef0450d2314f508cb52d7aa61e617c82b2acd8767d6e29823d1269b6887f8aa6590a74653906dda551e22d80becf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
43c23501b429754eeda11279e141a3ca

SHA1
ce4a1afedbb4f7e7767bed5ef93d842a32977f6d

SHA256
7bf11c2ff1f18b076a94873415dd7a7621ae41cc166dff55dd54b5617a216554

SHA512
f2ecd9b9ade40909d5e9a10fef13528d56a3d26343caa3033b5dbddb0d9d2af4bb976feb04d41c8b28f52a7a7dff70dffa1065f97bcae27a7188ee16e7a6dd97

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2444-164-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2444-183-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2444-190-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2444-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2444-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2444-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2444-47-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4800-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-191-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4800-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads