09777c1818d3fc77f5f7534a7d128898c773a1cc4e4f444b1ac83c0e7cf3eb3f

General

Target

062b6885f3841f9de21fe0c9b59d37f0N.exe
Size

29KB
MD5

062b6885f3841f9de21fe0c9b59d37f0
SHA1

f4a2a6a73feb10e3e30eccb6d1324e762d7a52ad
SHA256

09777c1818d3fc77f5f7534a7d128898c773a1cc4e4f444b1ac83c0e7cf3eb3f
SHA512

7185d9ef435c360f017ab534fb23f5978841654c96356f5f6c788681776ba88bb234a4bd49279f5a611738fb6dea9672bcdc0822bf23ff37bbb66a1d266705ad
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/V:AEwVs+0jNDY1qi/qd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4588	services.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/596-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023445-4.dat	upx
behavioral2/memory/4588-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/596-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4588-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4588-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/596-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4588-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0009000000023453-58.dat	upx
behavioral2/memory/4588-153-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/596-152-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4588-237-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/596-236-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	062b6885f3841f9de21fe0c9b59d37f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	062b6885f3841f9de21fe0c9b59d37f0N.exe
File opened for modification	C:\Windows\java.exe	062b6885f3841f9de21fe0c9b59d37f0N.exe
File created	C:\Windows\java.exe	062b6885f3841f9de21fe0c9b59d37f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	062b6885f3841f9de21fe0c9b59d37f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 4588	596	062b6885f3841f9de21fe0c9b59d37f0N.exe	83
PID 596 wrote to memory of 4588	596	062b6885f3841f9de21fe0c9b59d37f0N.exe	83
PID 596 wrote to memory of 4588	596	062b6885f3841f9de21fe0c9b59d37f0N.exe	83

C:\Users\Admin\AppData\Local\Temp\062b6885f3841f9de21fe0c9b59d37f0N.exe
"C:\Users\Admin\AppData\Local\Temp\062b6885f3841f9de21fe0c9b59d37f0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TXPNUX1J\results[4].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TXPNUX1J\search[5].htm

Filesize
150KB

MD5
8ec0cbfbe76b3a1995c1f8b0fc0a0175

SHA1
1fc57fa2815c47d2015cad909b63b10c51877b44

SHA256
9b4302d21710f84af851996d7a6361629d6357c5a266a2a17e097593876bbf1d

SHA512
e146256154f2f8b4098a4c79132f42c5e6ae9552e8db60bd4265805edf39624d9d673a1791f33ded1ac4bc87fb963dde53d1e612ecabd68ad6ac5294cc4e9c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZP51L7MW\5UQB4V2H.htm

Filesize
178KB

MD5
bdeefe24f5fe56e9bee014b657b9bc8d

SHA1
16f574dc45b5c129f1418c267672af0d0f42fd70

SHA256
37775d1f566e5737f09ea2ad3ebc41cc175dcbdfe4c511f45d219dc991cf35e9

SHA512
93683b8c1a879e813ab3190c14b94aae5005477b5ab40b95de20982523302d553960aa15838163643dccb98a55ee845fd92ad445c48b456b9ad508612b6c3980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZP51L7MW\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp236E.tmp

Filesize
29KB

MD5
981e52ba9824af5e99861492f9d850a6

SHA1
e12d1ebe4c927ee877b597f3712d9fc92da884b7

SHA256
aed67c452db59d4d20c7935809f5a0b2f3903fe5d0e526ddd5f38a1657a961af

SHA512
d1d5a10201f0d2992c96ada092a34418dde54b828c8e099167e0c84d604b4e11447aa2ecfbe6f98ee0b05987421b27859f366cebe8eaf9bf86cbbc68099b8c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
cc783050df68d6c44c0f40ffe71baccb

SHA1
6e35c7b238150973648a36739f2754e363c19cfb

SHA256
f378d736adbf805d6f831506cd25380367309ba5f92e297546d1cf74c550b02d

SHA512
371939144663e84b0d013bc3d1211ec1150fe15d32aac7c310305a08e5f535228828c65916481a4ba222513660f5134fe68a59a736eb1dac1d47e89679eb5df5

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/596-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/596-236-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/596-152-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/596-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/596-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4588-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-153-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads