f764842bb49ec5599ef49b615755d6db55d493ade21ca7f899f85903739e0679

General

Target

be44abb45d42b707a00823556dc1812b.exe
Size

40KB
MD5

be44abb45d42b707a00823556dc1812b
SHA1

b493753692e5ca8534f36f52817d7df5a445e5a2
SHA256

f764842bb49ec5599ef49b615755d6db55d493ade21ca7f899f85903739e0679
SHA512

277a1e19d10f0b719c77f95e9d5689560fc6a9af8eaac4b37edb2911e7ee8ecd554c390ea07bf769250751967f56d1fcb93317dac98b9c74a1c90082055080da
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHwB:aqk/Zdic/qjh8w19JDHg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2612	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2612-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000b000000014502-9.dat	upx
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2612-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	be44abb45d42b707a00823556dc1812b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	be44abb45d42b707a00823556dc1812b.exe
File opened for modification	C:\Windows\java.exe	be44abb45d42b707a00823556dc1812b.exe
File created	C:\Windows\java.exe	be44abb45d42b707a00823556dc1812b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2612	2480	be44abb45d42b707a00823556dc1812b.exe	28
PID 2480 wrote to memory of 2612	2480	be44abb45d42b707a00823556dc1812b.exe	28
PID 2480 wrote to memory of 2612	2480	be44abb45d42b707a00823556dc1812b.exe	28
PID 2480 wrote to memory of 2612	2480	be44abb45d42b707a00823556dc1812b.exe	28

C:\Users\Admin\AppData\Local\Temp\be44abb45d42b707a00823556dc1812b.exe
"C:\Users\Admin\AppData\Local\Temp\be44abb45d42b707a00823556dc1812b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7275.tmp

Filesize
40KB

MD5
946add3bfd6f3c059583147a238ef41b

SHA1
9d95f0801fc2e72465f2d3cbb641af2230a66e4f

SHA256
eabb37331ae05979bc431759dd560f0fbf8e0fefafed803246542fb3a967d734

SHA512
e28a97c357993f812b0243932b86398affb051b5b20d23b4336e5abccf2647eb8e9550f671efe8f5b090d51d701746aa20b3fdbbe0a851f015ef5c8bf85ef335

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d2e21071531e5db9e1bc798ed7f7571b

SHA1
2944a3c74f7cabc5fc543fe20e321aa876654188

SHA256
ba37d98cb894d30b2c9ea4018cb60402b90257f1558be5da8bb7d18435230d3a

SHA512
de856c3562e93cbb745b953fd728708f16af3956a18a297811e92cef29aa672ac288a4e02a9a477a6743e4f54e6ed1b009adffe6bb6d43efd77aa4697a3cb15f

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2480-24-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2480-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2480-11-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2480-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2480-21-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2612-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2612-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads