0a8ef668c8632c9a17ae4f9b412f918959b792d0b85ea218555c3ec959002571

General

Target

cd3ea0cc3893435e0f9f8c540ecbdd06.exe
Size

28KB
MD5

cd3ea0cc3893435e0f9f8c540ecbdd06
SHA1

2ea28b33b89d3f82c2f47f0b314163322cb95d51
SHA256

0a8ef668c8632c9a17ae4f9b412f918959b792d0b85ea218555c3ec959002571
SHA512

5177d68a8cd0d0c4f8db0911e32688aab4510192e232b4810a4844700e788946a6fdd4b21a7d3a682f0d98f3d90b26a0dc339f568d6ffd1cb1b4f44fef0b6985
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN2IaoTL:Dv8IRRdsxq1DjJcqfXoL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2676-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x000b000000014230-7.dat	upx
behavioral1/memory/2792-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2676-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2792-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2676-55-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2792-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-72.dat	upx
behavioral1/memory/2676-80-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2792-81-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2676-84-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2792-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2676-86-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2792-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2792-92-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	cd3ea0cc3893435e0f9f8c540ecbdd06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	cd3ea0cc3893435e0f9f8c540ecbdd06.exe
File opened for modification	C:\Windows\java.exe	cd3ea0cc3893435e0f9f8c540ecbdd06.exe
File created	C:\Windows\java.exe	cd3ea0cc3893435e0f9f8c540ecbdd06.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2792	2676	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	28
PID 2676 wrote to memory of 2792	2676	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	28
PID 2676 wrote to memory of 2792	2676	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	28
PID 2676 wrote to memory of 2792	2676	cd3ea0cc3893435e0f9f8c540ecbdd06.exe	28

C:\Users\Admin\AppData\Local\Temp\cd3ea0cc3893435e0f9f8c540ecbdd06.exe
"C:\Users\Admin\AppData\Local\Temp\cd3ea0cc3893435e0f9f8c540ecbdd06.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE3EC.tmp

Filesize
28KB

MD5
7f3b81b12049f55f8beb1818a4b4b847

SHA1
2419810d239b6d35335f2891ad10fdd7cbdb1b31

SHA256
60ddfded0579d3e1445f148fd2a1c84df7ff215143e34faa8a235d72a5d5ff58

SHA512
010288f83c148c619a402a6f97b85b5ae42a1b4efa720087945ab1a24d5a25b6c7bb1d13a9c25dc678d5334caa2e833f0c654d1b70bd1c0f2d212eab83cec7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
2a2f2c6f5d8d9e119540c85227d31fd4

SHA1
137d89ed7e88b5828ec87b4c6ca0879a93384127

SHA256
14b49cd8b7e9ab20e188a15963079cd3f64e58c0124a2a81c44ed49846d8b671

SHA512
1e25473f268da10c79a620243dfa7786f9c8dd6cef2aac34d5c7cba2c1c8b6a1ed2f300eb9bc01125921d958e720e27aa1942aad3be40b38d78f6ce9984eead9

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2676-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2676-86-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2676-55-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2676-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2676-22-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2676-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2676-84-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2676-80-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2676-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2676-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2792-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads