fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b

General

Target

fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe
Size

28KB
MD5

562e841b5cf4de943caedcfa19dee1fd
SHA1

820c7a48fa2124bb1061dcbfe995ac79766fea0f
SHA256

fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b
SHA512

df5a6951d62a526c327c15838ff6e4dee96b84894e51f87e1f129a5e9634abc83c00d9a96eace66406fd970676e953d7f8a14ffa75ba6406f4ae5394b31065a5
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN+kyb5:Dv8IRRdsxq1DjJcqf3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1412	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4716-132-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0006000000022f75-134.dat	upx
behavioral2/files/0x0006000000022f75-135.dat	upx
behavioral2/memory/1412-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4716-138-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1412-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe
File opened for modification	C:\Windows\java.exe	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe
File created	C:\Windows\java.exe	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1412	4716	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe	80
PID 4716 wrote to memory of 1412	4716	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe	80
PID 4716 wrote to memory of 1412	4716	fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe	80

C:\Users\Admin\AppData\Local\Temp\fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe
"C:\Users\Admin\AppData\Local\Temp\fb506673682a23808e6c54a385bf9a909d24fa27fcf23d2381a5d1a043e45d3b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
8703eea7c82547d779735075ad8baa60

SHA1
4bf6efd39d32ed3e1e4bbc01a0c8592526c27cde

SHA256
be575364585f20868db8495920ad2a867e76f2b9bceb5989c3e6ed5a6de6f491

SHA512
438d7d48b05199c24ba6533454326afba95ec99b481a56cf7fb25e361da2ca773be168cf8c45521b60a6e79f155c74fea79a3eab02ebb94c877420b5768db119

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
3eef2dbd77ec6abacc3359ec2ac44bdc

SHA1
5a53519ff298d6711215cc1ff77f695d5b52eaa4

SHA256
77c9abee9dc3935630af7b812d844dde2ab0408019efc9221c5323367734476e

SHA512
1f60fac9cb3ac5bc18e156fa18752b5568cb5d585705061e2a5a898a03652853e7a5bca9233b9408b1656a2781cf3955cd0f53d3f4e5e9f4ae6afc6c9ba5ea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5a501765680d8fdbad2171b23ea0750f

SHA1
2e41121126fef6705ddabb496a8d031466d01fd1

SHA256
2bad9db1db02563cd82b821c7375867d8eb40cf9848355b1d0ad724a8394b1c1

SHA512
0ef5b08bfb9ae82d82e47cbd65f23c153c0e0a0f9c5a54fbfcdd7ee09d3e266dd8c86199d40c58645bd9291972134f677855ae35aa5022b5b40c8e2339f0d28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6547dddc16718a8f53d68db86aa6450a

SHA1
e59885202586db4a191e2add128e326e59d5cc79

SHA256
84d012d0435c9794119e2b040ed1d00ede370535feb04aae8da9015d7c251af6

SHA512
a86d9c6086e32579b95b7bee8cf028c157f8b0989896aed04a1e3e1edf9551a79a9f784f73fc8bf7ba47542679c4f83379a859b171d49d9fc162f0eb5badc2c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1412-133-0x0000000000000000-mapping.dmp

Download
memory/1412-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1412-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4716-132-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4716-138-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing