Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-12-2021 07:57
Static task
static1
Behavioral task
behavioral1
Sample
13c05f728f59b645759ccff2469dd2b2.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
13c05f728f59b645759ccff2469dd2b2.exe
Resource
win10-en-20211014
General
-
Target
13c05f728f59b645759ccff2469dd2b2.exe
-
Size
28KB
-
MD5
13c05f728f59b645759ccff2469dd2b2
-
SHA1
a2879876885d68be54bc0d9307a8ea0b4182560b
-
SHA256
6f064d4987b4202ebe2faaab28f3582dd784f24fa1a13f305051a6d7e85a78ed
-
SHA512
f9b099b8a7a58f21b156fad55d833f6fd182e2129e2b534a985cbb0fd10b55aa46146edd4760bb194005a6c6a26155f290e9a6d98abf580b788a2ac5cd9b56bd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 2660 services.exe -
Processes:
resource yara_rule C:\Windows\services.exe upx C:\Windows\services.exe upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
13c05f728f59b645759ccff2469dd2b2.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 13c05f728f59b645759ccff2469dd2b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
13c05f728f59b645759ccff2469dd2b2.exedescription ioc process File created C:\Windows\services.exe 13c05f728f59b645759ccff2469dd2b2.exe File opened for modification C:\Windows\java.exe 13c05f728f59b645759ccff2469dd2b2.exe File created C:\Windows\java.exe 13c05f728f59b645759ccff2469dd2b2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
13c05f728f59b645759ccff2469dd2b2.exedescription pid process target process PID 2436 wrote to memory of 2660 2436 13c05f728f59b645759ccff2469dd2b2.exe services.exe PID 2436 wrote to memory of 2660 2436 13c05f728f59b645759ccff2469dd2b2.exe services.exe PID 2436 wrote to memory of 2660 2436 13c05f728f59b645759ccff2469dd2b2.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c05f728f59b645759ccff2469dd2b2.exe"C:\Users\Admin\AppData\Local\Temp\13c05f728f59b645759ccff2469dd2b2.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
38095ad86edad94a4813d59ab1307142
SHA1c3981a6a61e48884de4fcdcd62c2d30dc9a2f5a1
SHA25643911a83443780ef47722c818dd0e9f66c508dc294c4b1c29567fa667c3429e7
SHA512d4067c9c59532bc71e2d58f8cb62e79204bf96187220d86883febb44d1c6c06d99e8d216c201c0119caf8927cbd6b535c6c3f4aef3d590bc528c96e2e7236fdb
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
c2759112ba6c6da6df574170560c2cbd
SHA1fdf3b53a3f81975c1222258205f8edd809cec56f
SHA256c323fe4512e5d68c2141838ddd769cecf6f5a8c694aac215dba9837cc66d3483
SHA5126dc3a8f54511a47d199c75003678c10a21a104db52d8df3aa9c25c6b28e1adaee7339651ace70363c9015ba53e91956a77787d53deef685447247ccec01e8562
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
91e31291a224d15a56e38fef42ebbce1
SHA1d70e41e0d4ff50c43fbb49faa1ee9af3ab4e6ca9
SHA256745b238a0b3288e3dd1235b65033c357c3fe72bb14b194bfb6475fdb71d5f17a
SHA512aa288796a5de27f87d38176df99a4a474194a066b5d8a9a1bee7773133106954d866a789e1a235eb80f4870dc07f7e1d3c9a5b01ba81350ac3e54f1bdbf919c9
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
c181b8c299b1b967f78919a0858ee32e
SHA1f21b195e984e66222b61d458c173376e69764feb
SHA2565833fedee4d5abbf1c8ba5868018a439b476b6e5b4f27aa8ef122fd13d4fc814
SHA512d99b563a6b5ab5e3afcd26da07b8546454732f5999abf8560056086a5f23ea25309a9c02585dc53fc46fe4983d84c31b98026487dc2e657978dd78ab10b959b2
-
C:\Windows\services.exeMD5
b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
C:\Windows\services.exeMD5
b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/2660-115-0x0000000000000000-mapping.dmp