b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe
Size

28KB
MD5

84740020e03aafa399b97648188fe193
SHA1

b15e43da9154c42d845b02c62106d2050e38ce0d
SHA256

b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e
SHA512

c7541e111dd0e511227cb7d728d2e487091bb29779ac3f407e556e82ab5f6d51b5594dddb49e7cefcbf1adfd75f07c69c12b8cdf1ffa0205ea2b5ff83f2fc247
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNs1lAd:Dv8IRRdsxq1DjJcqfjs

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1016	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2840-132-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0006000000022f57-134.dat	upx
behavioral2/files/0x0006000000022f57-135.dat	upx
behavioral2/memory/1016-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2840-138-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1016-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe
File opened for modification	C:\Windows\java.exe	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe
File created	C:\Windows\java.exe	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1016	2840	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe	78
PID 2840 wrote to memory of 1016	2840	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe	78
PID 2840 wrote to memory of 1016	2840	b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe	78

C:\Users\Admin\AppData\Local\Temp\b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe
"C:\Users\Admin\AppData\Local\Temp\b3bc3a952ff9901920241040f5e819d4d3f271045904824b16e1f4138816ce4e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f93a93950b28be70c5f5b0c7290f0d69

SHA1
533f82d5e765a64afbe82ff0afae353a2444dd0b

SHA256
3b3321e1b9f95a491d3e8535d24f4a4eb47df3fbc0a02797a7daa6bbd813aeff

SHA512
743d5f700da823a5c0697e8a43565c530a9a9fe1095ff9006ef2e38dfe7ee4af947aa07582494ec513c45cc9e90f290f936960a0f584a82e88e514061dd88fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a01c6488bd21e011a6a6449909df32c2

SHA1
ca13e98b5e6b401bbcb9556b79e67ef9f66c23fb

SHA256
a30a5997b06c8ee6cabd582eb72ec92c6abdfac906141a1cf282a369949c2467

SHA512
5535e21cac4ef58921b3c1c0c46d2d4e376dcd59c505fa8f87c2a0365bb38550f333dcb67281ca229b98354717cd697cc4becd7a1b1c7f904472448b49d8e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
316422748b0c791d399d938510ad8516

SHA1
66a5bb77a9a1ce02be85f7e65eb8e8338d0702bc

SHA256
6e23692299cfb2b42d48f7b355d044290b6e5273fb72d9ffe51f6c3fa01b3fad

SHA512
41372810114b80168a0ac9b9556aa5c4eea7459f84a28cb95349fcf7561acd3fd0fcf8197fa223080431b8cde698342134984460f23ad3ada51e09285e24c689

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1016-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1016-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2840-132-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2840-138-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download