f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2022, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe
Size

28KB
MD5

7498d5f01b8024205f0e78ab8231cec9
SHA1

455518ffde943f4728c768f791bcc4800b9489f7
SHA256

f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e
SHA512

bde0d4ddbee441330cadf323f7eba0859c3106125060043cdc162b69db443b15b9d2319b7a4d46d84bb196aa9cc9aaaeaf60c7cdcd2436d9c405a437b53ef9ed
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNnKdR:Dv8IRRdsxq1DjJcqfeKH

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1920	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/764-132-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0009000000022e24-134.dat	upx
behavioral2/files/0x0009000000022e24-135.dat	upx
behavioral2/memory/1920-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/764-138-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1920-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe
File opened for modification	C:\Windows\java.exe	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe
File created	C:\Windows\java.exe	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1920	764	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe	81
PID 764 wrote to memory of 1920	764	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe	81
PID 764 wrote to memory of 1920	764	f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe	81

C:\Users\Admin\AppData\Local\Temp\f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe
"C:\Users\Admin\AppData\Local\Temp\f71501967fd8eddca6c7556c20403b45a1dff65418f2ebe6f98bcdd023b5777e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
bd9918b2de4cc907bc86030486181261

SHA1
f391234afe59d06b46836a2e7d422ad96429c814

SHA256
acb5ca9e9155cac8814b06b31f1af273ace6c5d4ee5beb142be1863d6fd62663

SHA512
48de4b3002dcc9878381259e29df57d3edbb9d6c476c16bf267f182585b782705b940a961bbbd10c030206fef0939b518d92ba3ee4726b0165fc464b91005192

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
1671cd019f103d812ca53063c0d9d0df

SHA1
f089d64f89e5f0df48b2c4f9cf1d8c4d8cca08a2

SHA256
c1f59f0201e9e41969ec053108b586f76cb0fcf123aec588b1d2d7f0c056df58

SHA512
989e2e0d13fe5b5e5001643e1d2eec98e76c957db2e1d4785805c9f0c51a4b34f00516aefca4dfd591a0cc2b16d5256c7a886855db6b862a542724a299ceba43

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/764-132-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/764-138-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1920-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1920-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download