0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe
Size

28KB
MD5

6a1d7e2f8d72db48417cff4d8430edf0
SHA1

a08e4bfe36403869b5f11af0912db931e93eb794
SHA256

0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a
SHA512

181fd3c0e017d666010c1108fd1e73c9c3c08ea8dfa12282a21de0bce1a9ca9dab03193aba2c468513d2e7b70e9a44185f96fe9511e4f887f376dc361b4522fd
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN1Rtze:Dv8IRRdsxq1DjJcqf6te

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3540	services.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000721-133.dat	upx
behavioral2/files/0x0003000000000721-134.dat	upx
behavioral2/memory/2080-136-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3540-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3540-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe
File opened for modification	C:\Windows\java.exe	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe
File created	C:\Windows\java.exe	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3540	2080	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe	84
PID 2080 wrote to memory of 3540	2080	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe	84
PID 2080 wrote to memory of 3540	2080	0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe	84

C:\Users\Admin\AppData\Local\Temp\0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe
"C:\Users\Admin\AppData\Local\Temp\0a02b798573734f20ba192d61c70d3ed7ef50d8f3aa61df95832331c0f43d52a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
13d330ef03967187aa4c5efc8300213c

SHA1
d9b71763d4e44e417ffe0499e569ab6a60590f27

SHA256
8c2f14bbd558af0185f3f2a1c114293f98dbe0aaa42dd6851ff5ec0f5d0d785b

SHA512
de71f85aa06bde4ee8b36a4654f1ef1d3828cb80cf9c5bce8916d49cad9d410582959d1eacfb582aaaef5309615e2ef1519c480c1f941408e48c4039996c687d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
026571dbb553a3909ca29bafbbd50758

SHA1
8e1ed1177fbd8c59f5f3d354e3671ad3e796db5b

SHA256
78dfed0ebe1d8efa33eb7cea8e381266de45f0a83f01514a3f262680b3e168ae

SHA512
ac15f21954272ca7ef43044d3310d2722e61dcbf5deccb3adab430a430bbb4334168da371aa6f17f1c270a67ca3ab1a189795c7d3ba1053ab525afcef91210f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9f6559507c36875fe93f511b146b0962

SHA1
c2688e820afce91da9e31bfe1528c60f2457d9fe

SHA256
386b5ee8c2369933d554d9ebda15e3ace640d46d7042599e4ad6379df17afe83

SHA512
7404ffe2f7b7dc2437d1c5bf40a6673406f8264068ea144aa13247aa37397f9710b5ada7988762c7b07a8b8c8d2b2dac5da23434036baca452406edbfb8d74c4

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2080-136-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3540-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3540-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download