9cf4d41de48750840c904914f6730eb7a36a132e85a4fb551fa91d7d399a1aa6

General

Target

9c1394cbc126c093d724a57ad6d370c0N.exe
Size

41KB
MD5

9c1394cbc126c093d724a57ad6d370c0
SHA1

315faba6a8380419f3e2c7ece49902bf7546282b
SHA256

9cf4d41de48750840c904914f6730eb7a36a132e85a4fb551fa91d7d399a1aa6
SHA512

ae23320377a3164715ecd046d51dd8ad8232fc70b9ebd077a750c1c5b5ef4ec6ca2917d06c3639577db16a4e85395cc28ef1250f337c9ce65d6f2f64de6c0098
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5024-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000023488-4.dat	upx
behavioral2/memory/2644-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5024-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2644-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2644-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2644-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2644-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2644-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2644-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5024-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2644-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0006000000016937-51.dat	upx
behavioral2/memory/5024-187-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2644-188-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5024-253-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2644-254-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2644-256-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5024-260-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2644-261-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	9c1394cbc126c093d724a57ad6d370c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	9c1394cbc126c093d724a57ad6d370c0N.exe
File opened for modification	C:\Windows\java.exe	9c1394cbc126c093d724a57ad6d370c0N.exe
File created	C:\Windows\java.exe	9c1394cbc126c093d724a57ad6d370c0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2644	5024	9c1394cbc126c093d724a57ad6d370c0N.exe	84
PID 5024 wrote to memory of 2644	5024	9c1394cbc126c093d724a57ad6d370c0N.exe	84
PID 5024 wrote to memory of 2644	5024	9c1394cbc126c093d724a57ad6d370c0N.exe	84

C:\Users\Admin\AppData\Local\Temp\9c1394cbc126c093d724a57ad6d370c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9c1394cbc126c093d724a57ad6d370c0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\09XH2190\MOI3URI8.htm

Filesize
175KB

MD5
f6de4eed9300d72218d995c1bd0b0aa9

SHA1
c7c1f60a5463abcfe3621bae0a7dfacea35dd454

SHA256
4d806be9fcd350557b8cdbd4527cd0649d283dbb1a89316aba87955972ba8a7c

SHA512
2521ec934de32977cc52e85ac9f90c3820503c2b8a11b6a093f608791d6af9fa7b6ec08e989cf8ac98de3197caccfd13fc8c55998a67f37facac9cc993158ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5HI12B12\search[3].htm

Filesize
142KB

MD5
4ca3b8a882b23287bb4604690beb8e30

SHA1
51cbd9d15ddd98e88cf4aa819395d5a5fdb9d9da

SHA256
7c0ce0a565a43b627e4fe7e5538e0cd34ad18425315cff9b7445d6f400949a4d

SHA512
d1c84996791cbbcaeb3bf6ff3610000eec68d1d80c9a0947588d3a830a408b487c54c698df3606ebd600afb151662e5b08449b603eb5ba2338ac0b8d4e860dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T79XY6A\search[1].htm

Filesize
114KB

MD5
cd597c7a893f83657687fdf6255b4de6

SHA1
50361c4959c5e58dda28ac93870686a16aa217c2

SHA256
daa8ca8a0c44ba2330d6c1ed6cd52c9b92bc957d149118d6aebdd550dbd2e233

SHA512
2c855d44b33ec5241ab936893f410617b46f470f37439964c391bef6fb18a0fd8e5eff7c4176ef852016ba47050a29c395b113a0ca42c2dd2751db1ac68f76cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F954GPP7\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD138.tmp

Filesize
41KB

MD5
345862df4fbbca05b4962ff8b3155d1e

SHA1
7df8090ab2b86a51e9ca33bd32b654672fe853e0

SHA256
eb4a9f8593cd4d9b8d3b2a567310fb052ca0f352b609bc7015b48250e8693a34

SHA512
d2ea95578496ef2e7eef00e2317abc8f5ee212aba29f6159b9f889e43bd9bc0fac0eb85edbc5f256439fdf5d949a937cd482f3b6313f7c152ed139577d715297

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
f1c23c23a52e1e8aad8d39a8a4ec53ac

SHA1
635338799f195cc38eec1da7293475b9a44b01ff

SHA256
a7588c9466ce4b973e27917aeda00a43c652b10990f760e2264cc6dc8da28a05

SHA512
b8ae518254756a2659e3909e9a31bbfca077233f9e4a29c7fe7b101f329b48ec55f1b9d06d281c77c8ad27d9ca720b22db94486e7af4114db4f50ca3d8d9d867

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
ecf4c29606578845a8fc31ec19b66fca

SHA1
b7994868555ef26b4956fd8abb43ccc6ddd35cdf

SHA256
2f086df4f4ac7785ad5120e30c9b26c896eb894d50538e71aa47d2a40593fee7

SHA512
94bf328284395584ea2aedc5c828a23c456c0ffc8add01a9cd92535833726967cdbe7ddecea6707f3330ff72d4bd8218a0bd1d91e32bf5d73bb825a10b8f22bc

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2644-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-261-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-256-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2644-188-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5024-253-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5024-187-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5024-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5024-260-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5024-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5024-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads