0d883b311e67532d31edc50fb723df52b8bd410222a9b6955e757cdde3ebb920

General

Target

8a0532948ba6d86d3f68a035cb7e6a60N.exe
Size

41KB
MD5

8a0532948ba6d86d3f68a035cb7e6a60
SHA1

efaf1daf400b0bbce7b0c12733bb07f10ec06d3d
SHA256

0d883b311e67532d31edc50fb723df52b8bd410222a9b6955e757cdde3ebb920
SHA512

86213147cb4845efe9f310e2dd756bab4743aa7fd546de58774f84c0c84e324b2b27271d60ff0d6d9d745e9f6f3924cb0adbbe9c71b8ecb1646ee9a753940e7f
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4436	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2308-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0009000000023452-4.dat	upx
behavioral2/memory/4436-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4436-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4436-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4436-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4436-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4436-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-32-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4436-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4436-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c000000023397-48.dat	upx
behavioral2/memory/4436-128-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-127-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2308-154-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4436-155-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4436-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-160-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4436-161-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-193-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4436-194-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	8a0532948ba6d86d3f68a035cb7e6a60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	8a0532948ba6d86d3f68a035cb7e6a60N.exe
File opened for modification	C:\Windows\java.exe	8a0532948ba6d86d3f68a035cb7e6a60N.exe
File created	C:\Windows\java.exe	8a0532948ba6d86d3f68a035cb7e6a60N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a0532948ba6d86d3f68a035cb7e6a60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4436	2308	8a0532948ba6d86d3f68a035cb7e6a60N.exe	86
PID 2308 wrote to memory of 4436	2308	8a0532948ba6d86d3f68a035cb7e6a60N.exe	86
PID 2308 wrote to memory of 4436	2308	8a0532948ba6d86d3f68a035cb7e6a60N.exe	86

C:\Users\Admin\AppData\Local\Temp\8a0532948ba6d86d3f68a035cb7e6a60N.exe
"C:\Users\Admin\AppData\Local\Temp\8a0532948ba6d86d3f68a035cb7e6a60N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\default[1].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5716.tmp

Filesize
41KB

MD5
a01766361a2144a0fbc5b9a5ee6f1618

SHA1
4486d50770a79fee23bf6f4f0ed9df0e6fac23f6

SHA256
0e944abfda1a8a723dbbd703bf6bcf9f68220d719feab8385f79885e8f6436f2

SHA512
459c44068ad92d4c6f2688c4fc9d68739aff18edbd457bf327b81a07832ae66a969177163ee4878f7d5c03d20012b241e1c73426a74dcc39796108672cf6438a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
5e447a339d1b8a4462c2779b66b4a288

SHA1
23e96c465d669fccd132fdaced1dc8b19c98583a

SHA256
d465d1848d2bada26252709b2ac36d19df265e86dfd5a0b7d810705369743e87

SHA512
6bfcc9e2f1f0a7414591c5f0bb3021c600248019e0c52f7e90dd07515f0d5feaf452b607c5697269b5a5c0ac09f1085a9ce7d2b971c7afe01a457db51710a66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
3379dc1a6a2b7a385c26c2d9b3d7b6ef

SHA1
1aa2b91e804f8dae5bc02f0d0deed379df6946fd

SHA256
a7fc463e268b7e7974d9a15edd539fb554bb01df6add5df2218c559844825f25

SHA512
ecb9bc18162482f93d309fd2f5e4a48b458cedc44d97e936f55bd4887a26b706a33de8e3450474b01bc4f550d070440ffa12dd1b4512d4acb4a4aa7d49f04bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
192B

MD5
e8090271436186295879c233e4e0dd85

SHA1
a48bb1913538780747940dab90532d5e1fc794f3

SHA256
d75eb6f45bcb46d9725339a622bd9f237a682ccd1f3053af26fcbba2b3dd4e81

SHA512
946ae79e7311fd8c8aef9a1c6129cfcdde2db2ba455da8f6646933e69b246f453c65391e5af788579039485f3943617a60c1e01a3aeddef1b88c0a5204a4c8c7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2308-160-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-154-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-32-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-127-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-193-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2308-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4436-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-128-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4436-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads