6b404efe4cd1ceca0e6bd4de0a467693f4cd7e44ffec7cfbb7071c56dfe90c04

General

Target

19e86ba9248f68d44c740d19194086c0N.exe
Size

29KB
MD5

19e86ba9248f68d44c740d19194086c0
SHA1

0d9ad7fe88c72a3190d3254b337258b2cc161d54
SHA256

6b404efe4cd1ceca0e6bd4de0a467693f4cd7e44ffec7cfbb7071c56dfe90c04
SHA512

24a5afd005b0cf296d3a432f2eefa9f002dcad8f743d9a92a403c896d3309cded698e5c336ef95dd2b7c9989c85fa230802f5aea064a1cae113fed2b6847840d
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/O:AEwVs+0jNDY1qi/qG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-2-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2152-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000017400-9.dat	upx
behavioral1/memory/2152-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2696-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-29-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2696-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0038000000016ed2-45.dat	upx
behavioral1/memory/2152-52-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2696-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2696-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2696-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2152-66-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2696-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	19e86ba9248f68d44c740d19194086c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	19e86ba9248f68d44c740d19194086c0N.exe
File created	C:\Windows\services.exe	19e86ba9248f68d44c740d19194086c0N.exe
File opened for modification	C:\Windows\java.exe	19e86ba9248f68d44c740d19194086c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19e86ba9248f68d44c740d19194086c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2696	2152	19e86ba9248f68d44c740d19194086c0N.exe	30
PID 2152 wrote to memory of 2696	2152	19e86ba9248f68d44c740d19194086c0N.exe	30
PID 2152 wrote to memory of 2696	2152	19e86ba9248f68d44c740d19194086c0N.exe	30
PID 2152 wrote to memory of 2696	2152	19e86ba9248f68d44c740d19194086c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\19e86ba9248f68d44c740d19194086c0N.exe
"C:\Users\Admin\AppData\Local\Temp\19e86ba9248f68d44c740d19194086c0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2148.tmp

Filesize
29KB

MD5
0ad972c2002ef0e62bbf6d977a7d543b

SHA1
75bc7b9705cc84068b15e787c1e73a86f3fe914e

SHA256
3d511f9d56583418df1fb8f1dc21ae56430eba35c694a3ba635c59c9138be3cb

SHA512
e24e3f756b31f36be9b010688fb92e98c38b57500746026352361489209dbc9580ae387009591504325d63416f00129a3269188f87dad343db7e25e8df0ba309

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
f2ed0bfc1b335dc8a6b3daadb3c293c1

SHA1
f999fe3ea07e83152a635c5b26cdb47d64389d48

SHA256
4e1d59a0ce7d3a776862696f5258e7af4236e5dce8a8f987dc01ff94a3e5e6cf

SHA512
08fbe67528d8e9cfdabb7be650a3ba4d3784b8d35f911f465838b930a7bba8287b5ce49762d345ae1f404bb7e11086cd0ffa5894b948c4bb7f6cdfed4f6be37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
cb112a538152b22d3de91c670bdf35bf

SHA1
4d3402c8233622d94a01cd5e709c10fcca4a96e9

SHA256
6c0bb1d35190ee78d13032c681b639d3c2faae0b8f2cc8b8a2f0a8ef93e1c316

SHA512
3ac05a5f137c7f9c478960154f848195ce8f9a0267c24b1946527a2d053062e43a0d655fef8ed006191333c9590d47065987b43deb8430a1e9c16d8e01acf5b6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2152-66-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2152-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-29-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-52-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-2-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2152-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads