64f3b87aba6af1cab635bbbfcd943d48627a7458136b2dfdc50e9aa7ffea7c55

General

Target

1a1726f80057918b5b33db1736c362c0N.exe
Size

41KB
MD5

1a1726f80057918b5b33db1736c362c0
SHA1

3b36da6e349093590285650ac8b7f0638027dc3a
SHA256

64f3b87aba6af1cab635bbbfcd943d48627a7458136b2dfdc50e9aa7ffea7c55
SHA512

34dc960bb44cd999e646c348a3d71d2f92339abbc361d3076e82cad9a21d420f228b51034318c6dcfb7ecbe7d92a9b1b762a0b06bc291fd6746cf2464fb88e63
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2280	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2004-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023465-4.dat	upx
behavioral2/memory/2280-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2004-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2004-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0003000000022afc-48.dat	upx
behavioral2/memory/2004-167-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-168-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2004-170-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2280-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2004-179-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2004-195-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-196-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2004-199-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2280-200-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1a1726f80057918b5b33db1736c362c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	1a1726f80057918b5b33db1736c362c0N.exe
File opened for modification	C:\Windows\java.exe	1a1726f80057918b5b33db1736c362c0N.exe
File created	C:\Windows\java.exe	1a1726f80057918b5b33db1736c362c0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2280	2004	1a1726f80057918b5b33db1736c362c0N.exe	82
PID 2004 wrote to memory of 2280	2004	1a1726f80057918b5b33db1736c362c0N.exe	82
PID 2004 wrote to memory of 2280	2004	1a1726f80057918b5b33db1736c362c0N.exe	82

C:\Users\Admin\AppData\Local\Temp\1a1726f80057918b5b33db1736c362c0N.exe
"C:\Users\Admin\AppData\Local\Temp\1a1726f80057918b5b33db1736c362c0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9X9HPJHY\ZE2KRKV9.htm

Filesize
175KB

MD5
009356476e094345845d1cb2d9c3c79d

SHA1
e158e3db8ad9549b03613402cc38c85515042efd

SHA256
40aab7a3a318917a8d9bc44ccea739849f533199bb2f64997a2d7cd43c029939

SHA512
df1c1e262fd46e995bfa7d31f9632f945e5b54faed132c60b3c58b48dd7066fd15e67e8d297defeae8cb62a00491ff4ef0e6b423b7e8e2dd3131e273baa0b524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W4K3IOC2\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC416.tmp

Filesize
41KB

MD5
71549367ebbca4727bf810ea1ffd166a

SHA1
f5dbd18f5ac3dcac12aedfb51c68d116f5391119

SHA256
60d343c66dd3f05aec38658c7da5bcfbbaa87393fd5b0e75eb45126a5e052bb2

SHA512
68892667cf413d3f4923288ca664b8e863ad18108b05d6cc6196dd1cebfe7196f83b0d8f7d1329230aba35d9651dae3503812e74390991987ea78b879de9a659

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
a7e3123116c2cea271f174dd2a3ffb69

SHA1
eb5076d521969ca41129fa6447b1553c43e0ca0f

SHA256
cf3c4788ba96d7c9c4b8426871dbcf8ed932f00b8e8478094136bbcee59f9fbd

SHA512
2cce4e55c663b477b5b05969d8b85142d22b3bd1299e826e95de12d2e6a467a540a84e58c17b00b2da38ad52904f7981847f88b87a6a74f5cbd8f8c190cbe096

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
b707295b23ad408d1ace1870151cbf8f

SHA1
cfb2eff9635929f06c2c88c4d0ca052be1a20c4f

SHA256
31b43ca8ae8292b47b8bdfc06e68c3762991bf38856c8fb66d1e678295a09edc

SHA512
37892416345e57f3428e9b8d44fb3ff6adbc0f753407e5a4be5a2fefbd7ebcf37b7fd3b11bfaf4fde4b1db2fca1c30c8690446b43f08ea76cec9e408e5a547a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
0080065f7d683005f164f9fb382c52a5

SHA1
278745dd02d0a1911b2cbd2b726eff934001c8bd

SHA256
9ff62e2a00373b601612ebb9ab282da0b0177e7a4c94b0824779484060a59c62

SHA512
d749f020d52d71802d0529b29af13884cfaa280649eeae6a1e7099245c583985b3cce5990f2b54bdecf618f2573a37a3d2b50187d522aed4cc5407adf26f764b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
3867d1c544627f759dcd4015376d12e7

SHA1
1ada6d9b9d8f05ebcd278f9d3e35d6e95b7da897

SHA256
0a28f515447a77a02f3115acfb2d9c59d15d6c0cf3c65adc2e7595af51d659b4

SHA512
8ca326904de6853feea50103a2b56a8a754acad84de474461a7215dd1b7fd3159bba959b8546ed0f5ec8ef5d2c9269265ca438a2ce25598b84fdbeda2ff41b29

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2004-179-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-167-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-199-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-195-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2004-170-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2280-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2280-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads