742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe
Size

28KB
MD5

c9c78deaa0ea6b9aced05d8f79daa097
SHA1

c6e475376efe35e543adf04baeae83d3c124a979
SHA256

742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b
SHA512

03e4916c0fb8f40b1957f9d44858b450545ee0081bf7c46bd5751a4293a6485ad06d50e706bb0db0c29cddc072168bd0d21f84fd5a8565059792e76bd39792c8
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNCpI/74AnQ3:Dv8IRRdsxq1DjJcqfJCY

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4316	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3404-132-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0002000000022e63-134.dat	upx
behavioral2/files/0x0002000000022e63-135.dat	upx
behavioral2/memory/4316-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3404-138-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4316-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe
File created	C:\Windows\services.exe	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe
File opened for modification	C:\Windows\java.exe	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4316	3404	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe	82
PID 3404 wrote to memory of 4316	3404	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe	82
PID 3404 wrote to memory of 4316	3404	742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe	82

C:\Users\Admin\AppData\Local\Temp\742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe
"C:\Users\Admin\AppData\Local\Temp\742673577f8e2283a66c657b1ee1fbf419b386bd8cbd2f2b5204ffeb1ab6284b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0668c2efdaf948ae50b102b41bcdc08c

SHA1
d4c8d5186b7045ed14c8d5fa5a5d759090977f78

SHA256
83ed605827c22495ae9becebc6a5f0ef3b40694e639edd5fcb8f1740e2d9fa17

SHA512
0a39b8d3eccbb8435ea3307e34da55a87efc562d1d7d96015e100142de7ef89366cd9d21a4aae88c57fe0d226ac7893736fd62b183aff7bd1c9041b0119ebe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7521f48fbe81b457278dfac367c37bda

SHA1
4acf0d4683f3d822cf388db2328aa82e46512603

SHA256
cf57776a91c0d78a361480eee4b9fd257db1c8170bdb8c8a288892142b405652

SHA512
c1cbf54c0e299e9b39938df8be6bb56bbb85e05fceec3f143483365b93ff7035cafdd6bd15deee918dc2f7f13213b7ed1e84721d4efb2ebe059bf8cac1d9c2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
fff9a88bfa58ef98519f1354d207ca89

SHA1
d48fe1488283683198affdb7c6e2d6f407a07988

SHA256
f9cdf213010c2026e65425b6d42d26dd58cd71fa97032c4a73699bd0b9005ab1

SHA512
2746d7eae6285bef7b18bc505355b770207adb5e97ca820206cbc07c0028b696eeab70a4da386d84ff7720bc5cc050c1a78ad48133a13fbbb43e3d66e13ef6a2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3404-132-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3404-138-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4316-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4316-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download