ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9

General

Target

ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe
Size

28KB
MD5

4ff25b8216a1bf1796468c8c1a3fa649
SHA1

c167aabcb8af724b07289e6041e927158975c172
SHA256

ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9
SHA512

cd064608b77dc8f8d3ec8ed293ac6210bf9892f06910cd4e98f1760be4323bd53638780ec7052bb62b31d0177904d65d91decea7020eea1052326ee4ff64275f
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNXcM:Dv8IRRdsxq1DjJcqfg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1096-132-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0006000000022f70-134.dat	upx
behavioral2/files/0x0006000000022f70-135.dat	upx
behavioral2/memory/2376-136-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1096-138-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2376-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe
File opened for modification	C:\Windows\java.exe	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe
File created	C:\Windows\java.exe	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2376	1096	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe	79
PID 1096 wrote to memory of 2376	1096	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe	79
PID 1096 wrote to memory of 2376	1096	ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe	79

C:\Users\Admin\AppData\Local\Temp\ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe
"C:\Users\Admin\AppData\Local\Temp\ce812c263136a2c6ee548a08432dbc47dab845f41f45410379da981c8d7207f9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7d1808bf5f981bb35a8727f0b7431301

SHA1
82da1e2324cb47357ac6d0c45bf6b9e93f7f6d1b

SHA256
c6a48ba37cbe55a17d54e6c99feffeb0a51b89e14ba870a280407fa7266bb559

SHA512
7ae1fe89ee7f8328e1c8fdaad814625363cbcca4f0d79317565c1da9b95f628e8f68e5b6f712296ffd6eb1bf8ff556467b41fba6f5e9a22ac5e9a1b5a2a1150d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
33653a71b8cb4cac76f7b5fff839fc3d

SHA1
fdc7384c4e7d37e37fdd4795bfcecf4b5fa79813

SHA256
c15407c46a6beaa407505d215573bac7f7f1d8ebe0c4fafe98b8770d1c0fae56

SHA512
43b612cb73dfcfecadaaa6464c4fe6d949272bd11fae65cd5ba87ffad4f09cf30422bd20bee5d2c463b79c08de3695223e18fb8a9a4c471ffe7d4b61068bc942

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5e8283ead2015e6e42b96f0bd672fe75

SHA1
dd717e10ec736add22c09fea871dc108f1fdc373

SHA256
9baa25ce4ca222e8cc70667e5bcb49e099950240a9a9c44f410a6899be7b84e7

SHA512
20fd06029779f80d2f6b9c9bcfe6bfffb48d8e213acd88729f0ffe3339cdb312c2352d91ae2469b8f66be43c6971223966f10db65dc01d1787c382b11e585333

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9bcf16a0ae5e547e393e40ab5ba7609b

SHA1
345b9386f3342414ddaa2fc2c1261c37d98e4b02

SHA256
5a1fd7e1e9e719c3d3477d068213920cfab5722ae5a1d8bef7c6aa2250f3ccfc

SHA512
ca62d564746d529ef7423549c2e36f4f7795f73f6abc114fc4e805d24da63bdd57452c4d895e5286724cfaca8298621b8c8d7c4d81647acc66e3354fbec52d40

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1096-132-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1096-138-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2376-133-0x0000000000000000-mapping.dmp

Download
memory/2376-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing