9ccba9179e1e36fc5571738fb046617955e9d145116b2aa028e335e5d7153b99

General

Target

Cincoo.exe
Size

423KB
MD5

7976be9650ff52c6d9900a10999b1aa3
SHA1

fe28575b83718ac91e2e4dea643d0e897ef80b59
SHA256

9ccba9179e1e36fc5571738fb046617955e9d145116b2aa028e335e5d7153b99
SHA512

b9eb73fa9a32d23329dca575359ef1ecb896cd41cff92272ded1de9c7983eecfb263675d2aee54fad9acaec31436df10b5d598d90e5a07c60680a003ab108b55

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 956 created 2732 956 WerFault.exe Cincoo.exe

description	pid	process	target process
PID 956 created 2732	956	WerFault.exe	Cincoo.exe

Drops file in Program Files directory 64 IoCs

Processes:

Cincoo.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\WideLogo.scale-200.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gn_60x42.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pe_16x11.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\MapsClientGraph.dll_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\party.png_enc	Cincoo.exe
File created	C:\Program Files\ConvertEdit.asf_enc	Cincoo.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-200.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White@3x.png_enc	Cincoo.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\Xbox-press.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\ui-strings.js_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adobe_logo.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-180.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\ConvertPS_BGRAtoUV.cso_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js_enc	Cincoo.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.scale-200.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sz_16x11.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-200_contrast-black.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\WesternDeck4.jpg_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar_enc	Cincoo.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-150.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css_enc	Cincoo.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6486_24x24x32.png_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg_enc	Cincoo.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\yes.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml_enc	Cincoo.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Solve\autosolve_button_press.mobile.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\CompositeSurface\CompositeControl.xaml_enc	Cincoo.exe
File created	C:\Program Files\Windows Defender\ClientWMIInstall.mof_enc	Cincoo.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\Upsell\dont_ask_button.jpg_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1s.png_enc	Cincoo.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.dll_enc	Cincoo.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

956 2732 WerFault.exe Cincoo.exe

pid	pid_target	process	target process
956	2732	WerFault.exe	Cincoo.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 956 WerFault.exe
Token: SeBackupPrivilege 956 WerFault.exe
Token: SeDebugPrivilege 956 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	956	WerFault.exe
Token: SeBackupPrivilege	956	WerFault.exe
Token: SeDebugPrivilege	956	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Cincoo.exe
"C:\Users\Admin\AppData\Local\Temp\Cincoo.exe"
1⤵
- Drops file in Program Files directory
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 920
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads