a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b

Analysis

max time kernel
163s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe
Size

28KB
MD5

07c32be8968c25d5e7648d8dc46a82c2
SHA1

2cd008a8ca4f8e2c21fd8e92d14620f182001a45
SHA256

a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b
SHA512

dd307641e8827b2a41a4ba5ed11595112737723f60af3adbaa32fa62a1f2db1c61b1036c3d0609abd4667363382faa889b4df7b16b815daefb6b6e5fc389cae8
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNbFfS:Dv8IRRdsxq1DjJcqfGS

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
816	services.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000022e3a-133.dat	upx
behavioral2/files/0x000b000000022e3a-134.dat	upx
behavioral2/memory/3308-135-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/816-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/816-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe
File created	C:\Windows\services.exe	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe
File opened for modification	C:\Windows\java.exe	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 816	3308	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe	83
PID 3308 wrote to memory of 816	3308	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe	83
PID 3308 wrote to memory of 816	3308	a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe	83

C:\Users\Admin\AppData\Local\Temp\a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe
"C:\Users\Admin\AppData\Local\Temp\a5c06d90d7efab7968406fae14a64763ce971f919f2d2c276b5e44425f80c95b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
2ae86d99cee995036b9a60f41c0c702c

SHA1
77a5403b6bd58cca1a11f0d7f9a5dd8f3470f482

SHA256
45da932a7e08061f4aa2a832e4c372bfd51a2c9e630475d57ffd456a6c7e240b

SHA512
83a3bcef1f9c7c76b27b2a70ce2c09769d328c6427973e5f81d1d6becb3bfa57c1dfbe9ae8d39c5e73847c84f1df3b38c9af3d79a6825d0d6885943493d46bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9588848b2007851d553994c85e2581b8

SHA1
4fb40c757414f48c8df6ea4f2cf15c63c33fdc6a

SHA256
a721209f669cf8f4f7b3dc802a656e7936af6b6525f668c18225e3f892357bf1

SHA512
8d477db3c9ec32f5f835b0da6f9d47c4ae77b64047450918492b3e3e20b1bb2e47fa9bea68f62f1daf2ee88b56f9d8aa491d204b35ac0a0cd26d8ecc3f7ff07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6f01266cd2e439a52fb8154d468d4522

SHA1
c3d5e328d7a475d7634081e56498608c37b65797

SHA256
706864e4b12d236488715b301c91f9742c73e6446eacf5881325913f27169a5b

SHA512
0f934d6fafe896af726ddee7dc9f351709b8a23851fcb8ab92cf0e3065ad422889c2fb740fc71a00aef15e7c86f813d6c14d5bd7c4188f8826881d1872758cdc

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/816-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/816-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3308-135-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download