d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6

Analysis

max time kernel
186s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2022, 23:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe
Size

28KB
MD5

d59b564dd5c55318b1c8c65938084686
SHA1

c64b2a776c850646adc0de402b8fcb066e8dd6e9
SHA256

d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6
SHA512

0775eda4575e6ba9eac7ae6cce617c1a73e5f31215e2983d1d438e407cab6ea51c4d08f74d959aeebd87ded1fef96499b41a0e3686c6be50914cca5089b6882c
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN460a:Dv8IRRdsxq1DjJcqfvla

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4944	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/668-132-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-134.dat	upx
behavioral2/files/0x0006000000022e1f-135.dat	upx
behavioral2/memory/4944-137-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-138-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4944-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe
File created	C:\Windows\services.exe	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe
File opened for modification	C:\Windows\java.exe	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 4944	668	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe	80
PID 668 wrote to memory of 4944	668	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe	80
PID 668 wrote to memory of 4944	668	d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe	80

C:\Users\Admin\AppData\Local\Temp\d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe
"C:\Users\Admin\AppData\Local\Temp\d6624801d17aa667baeb97c49aa4a3dcc4821246ac08b114a8f15734abfcdbc6.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7206e61c2c6cf83a2262e50e421f8408

SHA1
f56b8bdc28afcc979453cc4e43253c36c92b32f6

SHA256
13c7c512a150767e8095c4c96ff423d632c40f5be11d4296c10595ad352500d4

SHA512
81091a0de1506ededa91ec820caf4dd00a9ae264acdbf78855c5eb7bf7383dc371b58d7074fb12f1aa72b1d433c5c71cc628d861a6377a533bbbd3d400e83ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
87c9ae980ae7a0c3fd3f57c76b79bf84

SHA1
c24dd939a4c353ec478dfae9e6e9047cbb42843c

SHA256
358b5a245422fb12499b11ca57362eda7ff45fc9db38bf16ce5dedc20d8ca272

SHA512
5bdec828a4b9db29e4818f92309889ebe0a098e285f5ff283da0091a44c069776a3687bcb96a7390f95f88f98a6025c66b2368d0187664ed05987184d4d74360

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
18f3db571d937990e0625f0855a2e534

SHA1
519085cf941b49819274bc3e5e8a16788cf63c77

SHA256
c4d6978eaf1492f6911fc7a1ded93d26b9759147b20e7610ebdb96d7616a0f47

SHA512
977b0fad98458c3a4aae5da5cb76021c1e1c901c598e5cb5edc7af76bef1131a986008a11c93a061f556064f9357754f2e1f94f8d8801fda0b2ddbfd6ea09def

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/668-132-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/668-138-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4944-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4944-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download