2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c

General

Target

2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe
Size

28KB
MD5

11e77b67b06b359454edf371698ab345
SHA1

d5c472a97c99ddfb18f04eb9ecef176070431e66
SHA256

2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c
SHA512

af7fc0b455c3fc1062ec31182bf31ee1fe24cd0f473277d062a4452673e5262a57bfbff863132e212381b3e5f4f1f5e1fccff1bae51e1cd93bb15e65f99bbed4
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNs0mBL:Dv8IRRdsxq1DjJcqfb0I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1692-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1692-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0035000000015d90-7.dat	upx
behavioral1/memory/1624-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1692-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1624-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1692-41-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1624-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-47-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-60.dat	upx
behavioral1/memory/1692-73-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1624-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1692-75-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1624-76-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1692-80-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1624-81-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1692-87-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1624-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1624-93-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe
File opened for modification	C:\Windows\java.exe	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe
File created	C:\Windows\java.exe	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1624	1692	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe	28
PID 1692 wrote to memory of 1624	1692	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe	28
PID 1692 wrote to memory of 1624	1692	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe	28
PID 1692 wrote to memory of 1624	1692	2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe	28

C:\Users\Admin\AppData\Local\Temp\2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe
"C:\Users\Admin\AppData\Local\Temp\2499c608547bc875f53025ca4186444eee77f718a9f49d25833e3165b5032d7c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dnWozue.log

Filesize
1KB

MD5
118b750204923d0716a727c112d976d6

SHA1
41c0c8ccc2a4f2cf7558e73554db2b1566774db7

SHA256
1c071b698179f5edf51f1ce7bbb43a6b41863b77e882dda580989002fda570e2

SHA512
b1638e6ebce396adc2d8a3ce0b27b1e07adc42719f5447eba2ea1605b0a85d03f80c8f7a2210c5319c491c75515124b3107a0a1e034bde1408bd60856433e645

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp742A.tmp

Filesize
28KB

MD5
e945ea08255bebde9a1fb99476986c6d

SHA1
7320701f744c720d45d40c30bdf65766455fe957

SHA256
47d44c2befe0d0fd29278f149529f13ba3390f9a270d162454f61e30c376a0ac

SHA512
75141d37c13b66a54c339758ba581d7b9d419d1c086542d8606bd3932656c5165a1b69f929ea80545a06a52140780081926db764fbefc708fab5d958388135ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9f9aefacabf08b67d7f21f695462f329

SHA1
2ce40a42a0608e5174b64221307d7647653b4e45

SHA256
4be2547f16768456abe4175a17ba081fb457d633ff825e012f44d22789d93c4a

SHA512
1c667820a179fced58ae43520b9a8a780abacf99f2f6eaee747f255e9a255d35fb170c148001f263c43f26d1eff64e8e283be0200782670c25ffadd17d850a9e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1624-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1624-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1692-73-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-75-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1692-80-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-87-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-41-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1692-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads