89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe
Size

28KB
MD5

c120debfb0d5bd3cab57b45e613c7a43
SHA1

5244b1a3529712aee87fc1f9337cf83f068bc31f
SHA256

89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669
SHA512

97bd13f180a3e00dbf514dd7a4a6b2c3a5eb967ba0422f102b60bd1c89f167d11ccf27a6e5c3e59581a097cfbb98db11c4b0de22aae7af1fbd72b60909dcb7db
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNI:Dv8IRRdsxq1DjJcqfT

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4596	services.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022dfd-133.dat	upx
behavioral2/files/0x0003000000022dfd-134.dat	upx
behavioral2/memory/5016-135-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4596-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4596-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe
File opened for modification	C:\Windows\java.exe	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe
File created	C:\Windows\java.exe	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4596	5016	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe	81
PID 5016 wrote to memory of 4596	5016	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe	81
PID 5016 wrote to memory of 4596	5016	89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe	81

C:\Users\Admin\AppData\Local\Temp\89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe
"C:\Users\Admin\AppData\Local\Temp\89e2665a8144ef8c9f6bfaccbe99a3a5b0d60c56c36afb9374a4ed6f0f873669.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d390853678dcc302eb549c054b2c8a99

SHA1
3e694101be2b2ffdd701e3589272116d2001bd4f

SHA256
723c22c83b803eaba3d1bd8da199da933c91fd22a01dfc2fd1474c54f6394a64

SHA512
8a0015f33f8de3a3bbeb0ca8617b7f903a98809bc5428b009937c4f5b5ce990cda881f162478122066a1e43d280025f3d8e851a376d71f1dfd82e30372123acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
46c69cd3148764f8ceff25e640037e7a

SHA1
6c87b37d86b85e7d4e1e3f765a2342226c521814

SHA256
32bb9af89786b3e169fbcc49890631836e3023c31b2d26a8528543ecf26c7f36

SHA512
81c939c415a89ef07db27af2656b35ce8740de6bdcc577149c88fd2a2d38426e4401e9139764820e42504ad82b993b0abfa3d15ee71766e77ab6a4421b20f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6b8697e10ed9c1426f0214fd81afa299

SHA1
e23202a25764ae0b97032664681a92bfb328c049

SHA256
725febdb3a24c69a655f51524fcbac9ecc83d205729c0466f3d615fcc5a37298

SHA512
aea7167f0b9d01cf3ede286dfcc76ba3fef9ff5e81b46748f51f92449d589819fb990e3820e740323a24fcde1be0a0223ab52e722612ea17c284272c0b0028b6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4596-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5016-135-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download