39c5534274a08195ccc28cd18b39d1f37b7d9215cb6aae8d6d9d746a1224026b

General

Target

13c05f728f59b645759ccff2469dd2b2.exe
Size

28KB
MD5

13c05f728f59b645759ccff2469dd2b2
SHA1

a2879876885d68be54bc0d9307a8ea0b4182560b
SHA256

6f064d4987b4202ebe2faaab28f3582dd784f24fa1a13f305051a6d7e85a78ed
SHA512

f9b099b8a7a58f21b156fad55d833f6fd182e2129e2b534a985cbb0fd10b55aa46146edd4760bb194005a6c6a26155f290e9a6d98abf580b788a2ac5cd9b56bd

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2660 services.exe

pid	process
2660	services.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
C:\Windows\services.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13c05f728f59b645759ccff2469dd2b2.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	13c05f728f59b645759ccff2469dd2b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

13c05f728f59b645759ccff2469dd2b2.exe

description	ioc	process
File created	C:\Windows\services.exe	13c05f728f59b645759ccff2469dd2b2.exe
File opened for modification	C:\Windows\java.exe	13c05f728f59b645759ccff2469dd2b2.exe
File created	C:\Windows\java.exe	13c05f728f59b645759ccff2469dd2b2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

13c05f728f59b645759ccff2469dd2b2.exe

description	pid	process	target process
PID 2436 wrote to memory of 2660	2436	13c05f728f59b645759ccff2469dd2b2.exe	services.exe
PID 2436 wrote to memory of 2660	2436	13c05f728f59b645759ccff2469dd2b2.exe	services.exe
PID 2436 wrote to memory of 2660	2436	13c05f728f59b645759ccff2469dd2b2.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\13c05f728f59b645759ccff2469dd2b2.exe
"C:\Users\Admin\AppData\Local\Temp\13c05f728f59b645759ccff2469dd2b2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
38095ad86edad94a4813d59ab1307142

SHA1
c3981a6a61e48884de4fcdcd62c2d30dc9a2f5a1

SHA256
43911a83443780ef47722c818dd0e9f66c508dc294c4b1c29567fa667c3429e7

SHA512
d4067c9c59532bc71e2d58f8cb62e79204bf96187220d86883febb44d1c6c06d99e8d216c201c0119caf8927cbd6b535c6c3f4aef3d590bc528c96e2e7236fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
c2759112ba6c6da6df574170560c2cbd

SHA1
fdf3b53a3f81975c1222258205f8edd809cec56f

SHA256
c323fe4512e5d68c2141838ddd769cecf6f5a8c694aac215dba9837cc66d3483

SHA512
6dc3a8f54511a47d199c75003678c10a21a104db52d8df3aa9c25c6b28e1adaee7339651ace70363c9015ba53e91956a77787d53deef685447247ccec01e8562

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
91e31291a224d15a56e38fef42ebbce1

SHA1
d70e41e0d4ff50c43fbb49faa1ee9af3ab4e6ca9

SHA256
745b238a0b3288e3dd1235b65033c357c3fe72bb14b194bfb6475fdb71d5f17a

SHA512
aa288796a5de27f87d38176df99a4a474194a066b5d8a9a1bee7773133106954d866a789e1a235eb80f4870dc07f7e1d3c9a5b01ba81350ac3e54f1bdbf919c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
c181b8c299b1b967f78919a0858ee32e

SHA1
f21b195e984e66222b61d458c173376e69764feb

SHA256
5833fedee4d5abbf1c8ba5868018a439b476b6e5b4f27aa8ef122fd13d4fc814

SHA512
d99b563a6b5ab5e3afcd26da07b8546454732f5999abf8560056086a5f23ea25309a9c02585dc53fc46fe4983d84c31b98026487dc2e657978dd78ab10b959b2

Download Submit
C:\Windows\services.exe
MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe
MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2660-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads