c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d

General

Target

c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
Size

48KB
MD5

51d09901bbfa5f7722f067abfe3e146b
SHA1

65dcc154efd2a7303660a678a96d6091bd7f422f
SHA256

c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d
SHA512

fded634079db16b5b68d215974264102426711a9776a22ec4e57e8152963326f08cbf3bfb4f7e7a553f1a580566e115b7eb09f852450037f553557dfcba8ed6d
SSDEEP

768:jv8IRRdsxq1DjJcqOVBLUvTd2wmDkuBgs5vY2HJvqRTkoCmq1UrH7JSr:DxRTsxq1DjCBBLUrGaeva1CmRrH9I

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4360	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4736-132-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/files/0x0006000000022f87-135.dat	upx
behavioral2/files/0x0006000000022f87-136.dat	upx
behavioral2/memory/4360-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4736-140-0x0000000000500000-0x0000000000515000-memory.dmp	upx
behavioral2/memory/4360-141-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vcmgcd32.dl_	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File created	C:\Windows\SysWOW64\vcmgcd32.dll	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\WINDOWS\JAVA.EXE	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\WINDOWS\SERVICES.EXE	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\Windows\SYSTEM.INI	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File created	C:\Windows\services.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
File opened for modification	C:\Windows\java.exe	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4360	4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe	79
PID 4736 wrote to memory of 4360	4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe	79
PID 4736 wrote to memory of 4360	4736	c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe	79

C:\Users\Admin\AppData\Local\Temp\c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe
"C:\Users\Admin\AppData\Local\Temp\c76b92db89227c97e25366c8db9f824f4e59902f44d642bede9125c0c2b9684d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5e6c4ab4b248881f9312bd8f2f3a465f

SHA1
11e7f4677aafae89443592699352a2ad525b391d

SHA256
f6b1aa833997813d280a97f9f4445f4febf264e82bee9aa7a4e0658c589d1569

SHA512
d5a4d85ebf8ec1f73fb3adc8e77bc3e0e78774ce9bcaf8bce2a263ccc5cc9363308b09e70d58fb65ed1e2210544b59d5043e38b1d7a764dd6022924357473e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
09723ab370e443e45a4ec691e223837b

SHA1
c2f74fcfc0edc0aa184a4916e086016180e5eeaf

SHA256
fa7a29584758bc57b1acce61884acebfffa7c1ad2979b63c75bda08023c68488

SHA512
bd860ba708e537c74498b4331d0fac6c23c504ef96d101bcd23191b4d9c8d2ff4da85214b216a5517a6fa83fc22465197770a2ee586011b18197c5c7955e7291

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
79ee823c506a91ab367c0726dad0b6df

SHA1
0da7e656c68fe8250c4635e18393d1c9734da750

SHA256
fd079002a13d97e1046d7159aeec5d1070d3236a7b5babcc81898a3ccde1bbd3

SHA512
009971c1bd684c2d7a7adf1a41af9642d67cd196a30ee32852317085673167a0ed70c6d853880b4818bb4df468e40dc30311d36a5837ae37cf5a75d49d3bf5a7

Download Submit
C:\Windows\SysWOW64\vcmgcd32.dll

Filesize
36KB

MD5
ae22ca9f11ade8e362254b452cc07f78

SHA1
4b3cb548c547d3be76e571e0579a609969b05975

SHA256
20cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6

SHA512
9e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4360-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4360-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4736-140-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4736-132-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/4736-137-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/4736-144-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing