d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a

General

Target

d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe
Size

29KB
MD5

de7fc71113f9e0b44658a8213312a596
SHA1

985e58d06415f2715f49bc480f10ebf7822c9587
SHA256

d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a
SHA512

47276390421409e8f33afe794312ca390674f303cbf2c1458049c90688df82b9bb4daee767ca07db2ce187d1c33488257c33479091e6d637391b60ed44ff0540
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/6jM:AEwVs+0jNDY1qi/qSjM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2200-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00080000000234e8-4.dat	upx
behavioral2/memory/2072-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2200-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2072-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2200-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00090000000234f3-58.dat	upx
behavioral2/memory/2200-117-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-118-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2200-142-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-143-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2200-146-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-147-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2200-148-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2200-159-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2072-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe
File opened for modification	C:\Windows\java.exe	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe
File created	C:\Windows\java.exe	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2072	2200	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe	82
PID 2200 wrote to memory of 2072	2200	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe	82
PID 2200 wrote to memory of 2072	2200	d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe	82

C:\Users\Admin\AppData\Local\Temp\d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe
"C:\Users\Admin\AppData\Local\Temp\d744b3a8d029a03f3cc835b414075acedb20c879743700de220f06011530387a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMWT2DJF\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC81B.tmp

Filesize
29KB

MD5
374059916d50ea893ac49b8633f123db

SHA1
320478781af97feddeb02cd7bbdfa32e40ac1e7c

SHA256
acf27b5605b76b207cf0eafa60d91328acc485081985f9b7d27d385953ee68e2

SHA512
5c666b8c105451f7db68b52bd6428e2802c716bf8575df26b4f8d8a371f5579f492ec47a4b651207093370422048166e2dd5f49a4c822af32eb9d25d7844105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
50b2c681c78fa838a3390c0e8818d575

SHA1
035113377578172b3c29fb369bc98cb486c8466b

SHA256
793881cb6fd01ec722d18f32d42f0276b1d7c4760a14c0fbbd8442be982b61b0

SHA512
caa4068f4e538fc252908acf7fe26b20828925a766f26d6c8a72b53b27a4e4d16128649f9c2ccb4e3249b9613671f664d05a847342306cf2d5fe5e41d21dd5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
0e4454bd6f3553e9959cc22cdcc0428c

SHA1
06584ef03888370b8a41563a2e801cf3f97baa36

SHA256
3fd8b22c736f05cd049f2cb1139991515ec965dbca9f7585fb8caf3d9de2a5e8

SHA512
c34ff2d1c5413685a05fb024d34b30eb38c1c74d8253c18cb7366e7d3a3f3ae6967b0bf093821758ca8b4af5a2ddc0dfd145a68c98adf92e3ae040039e9737c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
7ad2fd177135775c0c336b9fdedea20a

SHA1
359115bb443dce163ffe81efea6321b02a2c8574

SHA256
49ccea26da040b96043758221ab8d80d50694ddff3b70a2984db6ca84a5dd03d

SHA512
4e9e6fb30120a440b4bb23be6aefe8d4f24ba1f353ae0c03254c11d51db3a6e7461b1d268a6f0a819193abe7d62fed202516e23aeb3e4e1ae882026ece5290a2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2072-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-147-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-118-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2072-143-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2200-146-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-142-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-148-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-117-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-159-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2200-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads