7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46

General

Target

7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe
Size

29KB
MD5

b5533cb99429d033331bf8bc0176b326
SHA1

d45a8f811a56665f19f002c2a645ced2f8c436a3
SHA256

7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46
SHA512

16aee5ee40bf80e82215023da75b7c0d6a76c1a81d8dc14293dc3a3e547bcf5ac2492dd0444ed530e0fce5a2b4b0b348e95b15625bf96bf4845f5946561bb12b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/f:AEwVs+0jNDY1qi/q3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2180	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2740-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0032000000015d0c-7.dat	upx
behavioral1/memory/2180-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2740-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2180-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-47-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2740-53-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2180-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-62.dat	upx
behavioral1/memory/2740-72-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2180-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2740-78-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2180-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2180-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe
File opened for modification	C:\Windows\java.exe	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe
File created	C:\Windows\java.exe	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2180	2740	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe	28
PID 2740 wrote to memory of 2180	2740	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe	28
PID 2740 wrote to memory of 2180	2740	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe	28
PID 2740 wrote to memory of 2180	2740	7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe	28

C:\Users\Admin\AppData\Local\Temp\7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe
"C:\Users\Admin\AppData\Local\Temp\7347c21659d2d4cebf8e12ed692c89a722dcfbc070237f7fed5261972181cc46.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC024.tmp

Filesize
29KB

MD5
e8f0e1807990b5f58b10fe667ae2949f

SHA1
7992a700281d1fc00cd0c3f895673e079826f051

SHA256
b9738d562066c1631ee9f82018c226f25bed500c2f6b578ca9f89765ceb4794e

SHA512
51df9f48488cbf1402ff408d7b49d284d4e72eb8cf4683e77eb9fc7b372bdf9804b25c6ba70dc137e3ec3ecb7743d8a017096fb26075af351d99bf6a069d2db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wloeUc.log

Filesize
288B

MD5
34f85b6dd56db2e68e4de3eb81144eaf

SHA1
048921bea45f7f6af82ef0501057478414fb8525

SHA256
93b04586986d396f6013c3846d9cc88d144ebbff8d3b205c352f7fb2f976b06e

SHA512
786cfb3d216b1da5a65dcaaaa3fdb7a40c24b5e0ab268fc06fa104ca7a65552f347e4f5e84acf1f3aa11f1ef33a727d41bbcf48e96393ecf9ed5e5ff6a17a7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
512f633785ccdebfd0fc3c2329d6d14a

SHA1
e3b84c93106580241e7ee6c0096823743c45e2d4

SHA256
fe4bf0357079a09c0fee9cfd2acd5f8aa529e4a9c2c539387c287a9538d6068a

SHA512
6c906635760c863811bb2023a57343f413986bf8cc89d14c6b70e373b4c36857b77549d714ba0788fb2b61f8fa310013eb37bbea954f89eee7809af172c4aa44

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2180-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2180-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2740-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2740-72-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2740-53-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2740-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2740-78-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2740-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2740-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads