af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b

Analysis

max time kernel
152s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe
Size

28KB
MD5

74dac7f1ffabf1d9421201a1429e42a5
SHA1

eb28590781efbed1a3e9306e42eadb688f9d07b4
SHA256

af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b
SHA512

6d417a9f99bc9f8f24bd2526d295fbfbc595b28d7884959fb7b038c60c15c754ace5a191547a0e000223c5f833706164847d020ebdd21b89551a5ec4d122d1ea
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNccNsP:Dv8IRRdsxq1DjJcqf1ci

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4016	services.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000022e20-133.dat	upx
behavioral2/files/0x000b000000022e20-134.dat	upx
behavioral2/memory/2968-136-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4016-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4016-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe
File opened for modification	C:\Windows\java.exe	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe
File created	C:\Windows\java.exe	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4016	2968	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe	81
PID 2968 wrote to memory of 4016	2968	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe	81
PID 2968 wrote to memory of 4016	2968	af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe	81

C:\Users\Admin\AppData\Local\Temp\af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe
"C:\Users\Admin\AppData\Local\Temp\af7e4368f14f40d5239ce02ca36ba8a3af3b162ee2c1d71fe2aa0a28aa24880b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
aecd3aecddbd8c7f89bf5ef4982baa4a

SHA1
8dc6a0988f31dcdfef3a65eb0571c092193b4a79

SHA256
59a96df327bbe19075d0e31c0541f70ece70ced64fac01a84acd03caf5efbcde

SHA512
dcb0a9fc0a33a045abe0dc4fcdbd0e0c28f55bbd8da98abb6f14fbf011ad9bdc30aad990281d9bf422a5d6bf24f93b2467623b38da50c1e2cfcf3e545840f225

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b414731ee91e348494cd4d203cf5e95b

SHA1
fc34414eb6a0f1086f0c174081b1cd1d614733f4

SHA256
5f44e36e2457333e1d5b684be7d337e04b802ba04eb074dc0f2fa3cc686b18fa

SHA512
7fddc26e174a67f3c73d1c8808acb56d674cd44ceae79d6178e6de772a4a2dcf23a8605b8716ca4941852444092e9584b74561551b63a315582cee7829d5ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
8ca9368b98bd4eb418df0806cb6b7cc7

SHA1
62203f1cc175385032bc45efb9965d5885302d0d

SHA256
f8164d5cd5fb2a005a97b35a9a07a29bc7e25715c465c454ab39474b8bf50cfd

SHA512
677b8b2b2d1fdd5171fdeec559ff775344db13064eb6b646ae99708b736f95212a7a4627097ab03d2f6a9dcee52af9c4f05537dcf970af27a1790fc787b36a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
62d4c24b57f515c5554ef0591ed2968b

SHA1
e49dc723ab492a0d79dc7af7e78ea9a1853719c6

SHA256
f662b6dd50621d27dca9581044b6b736fdc0f2c3e88a18ae3c2faa40f6af669b

SHA512
3346a86d2195f432ab1556259488f315d889892b0b4060b64627587d4f3df0f39309ea6c726ba6e196e10789cc527b0ef73fc447a41857f7b5795300fdaeec66

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2968-136-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4016-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4016-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download