a42c3112c56e30bf848c16b7b134f4cff456e4106058f33e607f70f80f781593

General

Target

8465bd48729dd7390abc0c3f95e172a0N.exe
Size

29KB
MD5

8465bd48729dd7390abc0c3f95e172a0
SHA1

a9a3f09d5c89046ccb8aa87e4d431dca6ac0477f
SHA256

a42c3112c56e30bf848c16b7b134f4cff456e4106058f33e607f70f80f781593
SHA512

b819b0e388378bb28b993ca97a43112c4c594662b5ab1ae8719d2d2ae2ee36b10a76c160c7ba9f7206258d1135046e9e1d091ed34f7925b5ee8a290edf1a2c30
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/M:AEwVs+0jNDY1qi/qU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2880-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023422-4.dat	upx
behavioral2/memory/1352-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2880-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1352-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1352-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1352-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2880-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2880-35-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000a00000002342d-49.dat	upx
behavioral2/memory/2880-148-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2880-175-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1352-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2880-182-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-183-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2880-208-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1352-209-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	8465bd48729dd7390abc0c3f95e172a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	8465bd48729dd7390abc0c3f95e172a0N.exe
File opened for modification	C:\Windows\java.exe	8465bd48729dd7390abc0c3f95e172a0N.exe
File created	C:\Windows\java.exe	8465bd48729dd7390abc0c3f95e172a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8465bd48729dd7390abc0c3f95e172a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1352	2880	8465bd48729dd7390abc0c3f95e172a0N.exe	83
PID 2880 wrote to memory of 1352	2880	8465bd48729dd7390abc0c3f95e172a0N.exe	83
PID 2880 wrote to memory of 1352	2880	8465bd48729dd7390abc0c3f95e172a0N.exe	83

C:\Users\Admin\AppData\Local\Temp\8465bd48729dd7390abc0c3f95e172a0N.exe
"C:\Users\Admin\AppData\Local\Temp\8465bd48729dd7390abc0c3f95e172a0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JSDV0W5M\default[1].htm

Filesize
313B

MD5
ffb72ab4faba49ad441ce07db37dd8b6

SHA1
194e13c1c32ebb6e7a1dc912261cbd58a82ff71e

SHA256
7bd7c3676e98ddde8e0d5b63dd22cb9379d975bcd1d68884c97565cdd8d03660

SHA512
517be20d2442489ce39b48dc7f9f6f13f8c45d02703fb1865071f553d36b2289f5abc26c6089fc0bfad1a41fe318bf4b5a806915c5e45898ac744b7e4ed30257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D24.tmp

Filesize
29KB

MD5
95dc790d65e45d626d21806369b49289

SHA1
1d33c5054a7717ea96c6017cc43c64567e219ab5

SHA256
a05abe06d4805f2dd7a3f4a7525af61facd370f804f7ea7e6f635b36d50467b3

SHA512
2686df3867fcdd43b5841ece6288a19caf0bc0a00299b5ce0dc0ab097cb6b4255661289521cdd9aa8fbad12ad3069e056c36d20b8e8ab0a4b59a589e059b09a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
fdac804eac1622bca09925891e283324

SHA1
e0160d0ea5e1bab38c6e526c5354b06f57df3654

SHA256
48c221a0f5c094a9d823b919bff10e88bb230aa7a56f242620a77a1331984313

SHA512
c6e0190687d2226c0a63d7e94f016fc5af22250fda8b0c3000689aa19ed873c7f6b961fa93d6abf6058a1ecc92bf19e85786db2bfc4102b9041f47e704f2c30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
7f8e46370e3b82f85a51fa3a70220787

SHA1
a2ffd1a89c8ce3a6628d194d1a526568052ec965

SHA256
00ea6c86b80bb7724b20f37f1b15aa1f7cf24b860ec269d76707eb42830744dd

SHA512
342d290db0c94be9d9829655a29bda5a62b35b7d732768224e365c8f0ddd3751338eb0d9a3464c7c188610462bedbe44dd7e6283c9395a21194839d457d1fee2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1352-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-183-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1352-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2880-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-175-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-182-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-148-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-208-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-35-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2880-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads