43bf093a3e2489ee0efd86a09f1afa283a4254194b8cb4a492cf19acb34bbc8c

General

Target

fd799eb687dec39d4ec6315e3fcfa730N.exe
Size

41KB
MD5

fd799eb687dec39d4ec6315e3fcfa730
SHA1

86f6cb921724c2525f82cfb59cfc91dfa433dc94
SHA256

43bf093a3e2489ee0efd86a09f1afa283a4254194b8cb4a492cf19acb34bbc8c
SHA512

c37745dfd898f1f7db304d2995c7b604abf153131ad5dd38dee540e8e29fc0096234186c513742b02b4c1353f8d849ccf2ffb7b94e1fda104663fb3804cf988d
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1908	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1848-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000023487-6.dat	upx
behavioral2/memory/1908-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1848-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1908-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1908-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1848-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1908-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000900000001e55a-63.dat	upx
behavioral2/memory/1848-139-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1908-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1848-181-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1908-182-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	fd799eb687dec39d4ec6315e3fcfa730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	fd799eb687dec39d4ec6315e3fcfa730N.exe
File created	C:\Windows\services.exe	fd799eb687dec39d4ec6315e3fcfa730N.exe
File opened for modification	C:\Windows\java.exe	fd799eb687dec39d4ec6315e3fcfa730N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd799eb687dec39d4ec6315e3fcfa730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1908	1848	fd799eb687dec39d4ec6315e3fcfa730N.exe	84
PID 1848 wrote to memory of 1908	1848	fd799eb687dec39d4ec6315e3fcfa730N.exe	84
PID 1848 wrote to memory of 1908	1848	fd799eb687dec39d4ec6315e3fcfa730N.exe	84

C:\Users\Admin\AppData\Local\Temp\fd799eb687dec39d4ec6315e3fcfa730N.exe
"C:\Users\Admin\AppData\Local\Temp\fd799eb687dec39d4ec6315e3fcfa730N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp120A.tmp

Filesize
41KB

MD5
cfe54c089d4578d8ba015b43a787c3fc

SHA1
e15fb9a809de1a13d82a2c6dde757a914e9f8f58

SHA256
e07ec266a82fa783ee93097bbe96d8ec8c690ce96cea74bb603624e2099e338f

SHA512
36e4052d3b1604f5cb7e580f65e00c6b830ea45f669e907d38ed8aa43710e24b12e1612db5a608a49f7efda6b6a2d4666206459a4c32db6fd04fe4e55a379983

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
4b0fd92d5775a629a294d0997cec5ce5

SHA1
ac85cc3b8dbf83720b0879b4e46b4028d53202da

SHA256
c6b8365a3e94e182290b43befaf504b8df9c3d80cec77cea51c0d673e8bbf644

SHA512
4f815e126ecd09a1ce47ac185dcc84775569a80fb9ea27b15edd3aacaf6c2c7209feef6543c5ea85059a30a38487498ffc84174b9e7f90d61bb51d7cbaf7f52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
2ff4af7e6f152928d70baf3ada38bcd6

SHA1
aa66905b14ba79ef663bb5a560073cb66bee079c

SHA256
017579a5af058234366456eb3546e5608c158a3c65d879e7e027a1f3cc11d853

SHA512
9a99fb589f95bee85b24a2e8f87acc845a12271d881ca727edd4edb1879b7204cccda9fea351ec4b1363037052134b5db8c6efccee2ccda892e6f61a45cbb9b0

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1848-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1848-181-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1848-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1848-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1848-139-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1908-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1908-182-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads