e99234362a42f0fa1010f345ef0ae37d467c37283613c97b2e93fd6faf3143dd

General

Target

608baf276843388a72352e8644e2f780N.exe
Size

41KB
MD5

608baf276843388a72352e8644e2f780
SHA1

2feb2b8bad00f85d90bc7771274096771eda8aa7
SHA256

e99234362a42f0fa1010f345ef0ae37d467c37283613c97b2e93fd6faf3143dd
SHA512

b897601bd52224036f42551fed648438c868cad4857dca085024836491de277096bfd272dee576766a49279402e6ef649245313e5fc30058a4dac56d95aca16b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2692-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0008000000016dc7-6.dat	upx
behavioral1/memory/2784-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2692-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2784-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2784-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2784-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2692-36-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2692-41-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0038000000016d46-52.dat	upx
behavioral1/memory/2692-60-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-61-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2692-64-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2692-69-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2784-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2692-76-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2784-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	608baf276843388a72352e8644e2f780N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	608baf276843388a72352e8644e2f780N.exe
File created	C:\Windows\services.exe	608baf276843388a72352e8644e2f780N.exe
File opened for modification	C:\Windows\java.exe	608baf276843388a72352e8644e2f780N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2784	2692	608baf276843388a72352e8644e2f780N.exe	31
PID 2692 wrote to memory of 2784	2692	608baf276843388a72352e8644e2f780N.exe	31
PID 2692 wrote to memory of 2784	2692	608baf276843388a72352e8644e2f780N.exe	31
PID 2692 wrote to memory of 2784	2692	608baf276843388a72352e8644e2f780N.exe	31

C:\Users\Admin\AppData\Local\Temp\608baf276843388a72352e8644e2f780N.exe
"C:\Users\Admin\AppData\Local\Temp\608baf276843388a72352e8644e2f780N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE37E.tmp

Filesize
41KB

MD5
978bf245aa16a2437428c26d51e786b3

SHA1
25a67426625de10c559a911fd387198115ab9575

SHA256
5fd493ea2dc685e0e6ecc2b872ce951d6b2a2ea2f0657fe0ad5b445a39f0b476

SHA512
f72cd250bc31a3a91a672ecdb933263cbaa078026ffd9fbe4e50d67a428b6497ec9d2436ac0c9995a5b8abcdd22068b4dc85bbf4758ef29fe33a23e53ff8d7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmvcre5in.log

Filesize
128B

MD5
50000572fdb95a5a515de3526eb08137

SHA1
1f7e2e264f50076d7c347028925fd17b0b2810c6

SHA256
5d52f86f9076dd36a28aa5d659ac2e8d789ad76001810f325969aeb847f6e338

SHA512
c4cf48d9c9dd3fecd3bebcf8538462918b111563565194cfb555c6ad488d665237da688bfe6b5f4dc35b4a9ecbb4f303155fdf1523b6b4ff1037286f7a488739

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
12KB

MD5
1506aac570bc71bad0679cf90454f0a7

SHA1
873ee52cfdf41c3680a946638847980f33af578b

SHA256
0b0432eaf38ec03d84fda40ae13b1c13b22bbad1800d3923780c0605ba141856

SHA512
b3efb72214c64a085e88583184261f37a16b37cbb846fef8cd7828f4803b0f3efe4b1c77b7df593179b783a780411f57d06c48cbf62e21cba0664e08516ac72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
6dd97d36a1c51aa047ba57a2d4e18b3c

SHA1
a9733d9bc5c27ca996a9dce7614bef5a50d60aa0

SHA256
b067785797c7e7a7bb8322a45dd7eca73ca3de59a2bd96a24eb5cc54be8e9a2e

SHA512
7948770672ad00caf7846d3fc4f3b1db92d99b9cd0f9b24c3e691aa24229a426b0fe7bc71c11030bab699ffbf246afd84ec63bfd09949f651c5cdbc115e4dd18

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2692-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2692-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-69-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-24-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2692-25-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2692-64-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-10-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2692-36-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-60-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-41-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2692-76-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2784-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads