529af0dad34302a6b61134ae90c0dce87a80611cde38987600fb248487513f82

General

Target

bb7d926ab72dcc88ff5425e83b635fa0N.exe
Size

29KB
MD5

bb7d926ab72dcc88ff5425e83b635fa0
SHA1

0583663ec6b2e5070f4acf308656b91925c84df9
SHA256

529af0dad34302a6b61134ae90c0dce87a80611cde38987600fb248487513f82
SHA512

555afa19f31d7b343fa24dcdaf3c2fb1a2a232cd83c218ec4cac3f1d358828513814858a6df7334e375e953c847f31efdda7d2b665d313475a1f96578a222a70
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/GC:AEwVs+0jNDY1qi/qb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4168	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3696-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00090000000234bb-7.dat	upx
behavioral2/memory/4168-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3696-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4168-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4168-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3696-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4168-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00070000000234f1-60.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	bb7d926ab72dcc88ff5425e83b635fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	bb7d926ab72dcc88ff5425e83b635fa0N.exe
File opened for modification	C:\Windows\java.exe	bb7d926ab72dcc88ff5425e83b635fa0N.exe
File created	C:\Windows\java.exe	bb7d926ab72dcc88ff5425e83b635fa0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb7d926ab72dcc88ff5425e83b635fa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 4168	3696	bb7d926ab72dcc88ff5425e83b635fa0N.exe	84
PID 3696 wrote to memory of 4168	3696	bb7d926ab72dcc88ff5425e83b635fa0N.exe	84
PID 3696 wrote to memory of 4168	3696	bb7d926ab72dcc88ff5425e83b635fa0N.exe	84

C:\Users\Admin\AppData\Local\Temp\bb7d926ab72dcc88ff5425e83b635fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\bb7d926ab72dcc88ff5425e83b635fa0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CWF229A2\B8SOY8WF.htm

Filesize
175KB

MD5
dadfbb0dd3c3fe5d9e8133acc2b1eb1e

SHA1
0e7c2d9ff91acb22a08910d5a7d0ef45a908c2f2

SHA256
a589d9aab53caa0b69d8fcfdcc57258eaebbd1952fb59682c3ce1e857bd203b8

SHA512
a1780bd08d0db6e9fd23343986363aa251e30640e1770b56282fe05ef8821d6e79587cf6032867bcf9d345d68247638f1ab7ddf42ada09d811e317e44dfb48b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q90VG4IN\search[1].htm

Filesize
168KB

MD5
e8479cb16dcc9b271505dd63746689b0

SHA1
631d457a734eb18d6e84fb34aea4bb1fdaf72250

SHA256
89c236e71fefa7055701f218073738f72416d61c30fc37bc898fe0f63a27491c

SHA512
7670eb932ba5460b955606271cf6f53615ac033dda8292d2bf0a53cdc8beb282f56dbee4d9512b0d7dc462d740b537a0bbe249fbcf55f5a58e81b9b203f0a5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E5E.tmp

Filesize
29KB

MD5
4b685cd22c9fb8386ab9abca1d973159

SHA1
4e59642c000a966b701f281a91ca912ba1d234d1

SHA256
898091689089538bdab7b40f342acf6ceaf162c71408139d2be132d5b1ea43ab

SHA512
3540eaff9484a2f7e2c0481b88bf1fdf8c3067c0ba609f1fcae21b6a4b7f72ce8ec2499cd73e9000564ab428a734e8e0593b0452a82394707b06fd31ac220ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
576a0758a7409e84d605bf744f81c3ad

SHA1
aca95726eabe7f580ff86af79a44a79827d23b42

SHA256
25e0f6bb50a1995732d104ef7c19d459625902dbc4b7cfd5a1c1180da08bb76d

SHA512
aba72dbef26cfed6dc7368b57636105709e533c61e29e6b9e09c6c8997185da2e34d022fa6e1fdcfef07548da4d4df208123abd3cd7ea4db25c53d0fdf9e0541

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3696-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3696-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3696-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4168-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4168-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads