Analysis
-
max time kernel
1200s -
max time network
1233s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 03:28
Static task
static1
Behavioral task
behavioral1
Sample
text.txt .scr
Resource
win7v20210410
Behavioral task
behavioral2
Sample
text.txt .scr
Resource
win10v20210408
General
-
Target
text.txt .scr
-
Size
28KB
-
MD5
9b4b22e11a0531f44382e9031e28742a
-
SHA1
d7b95d04f4a7aabbf96f7d492740e55c618fc9ad
-
SHA256
f47c29a4a7756b6635363f5e520a2c4b638777705580217d9d5ffb48ae4d7cd6
-
SHA512
5a851bbf0bad740a2a6ee08bf5fc606ea308522e158bf9906e7086c4e4b8fa9ba667e46abddf5052f11153eebf970dc4b8fef7824aae910bb127e8b220f2f9b8
Malware Config
Signatures
-
suricata: ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 2044 services.exe -
Processes:
resource yara_rule C:\Windows\services.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
text.txt .scrservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" text.txt .scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
text.txt .scrdescription ioc process File created C:\Windows\services.exe text.txt .scr File opened for modification C:\Windows\java.exe text.txt .scr File created C:\Windows\java.exe text.txt .scr -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
text.txt .scrdescription pid process target process PID 1072 wrote to memory of 2044 1072 text.txt .scr services.exe PID 1072 wrote to memory of 2044 1072 text.txt .scr services.exe PID 1072 wrote to memory of 2044 1072 text.txt .scr services.exe PID 1072 wrote to memory of 2044 1072 text.txt .scr services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\text.txt .scr"C:\Users\Admin\AppData\Local\Temp\text.txt .scr" /S1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
b8d8ef87df705dfb8b498ea84cdf7f2d
SHA1dd73c7bffdfeb0b6e5bc6beeb7f66975d6a02646
SHA2563fb6671f796ae4fc9a51f1c18c4c5dae60dde289ef458b970061d2b63ceec0da
SHA512a3c3e1e5ca741e23c84158b1560fb36ad1ee5cefce7271b5aeba523c663a793b7797e6e1465c5f10c8c7d5e8d3840496a91ff2e5645da72b0297d06c2695de9e
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
dc0818a0f1aea2207e0a6e7d1c2deb74
SHA168bad99fd1e599bd585924c35c018131b9b81a12
SHA2568c2a52051c898f49d66cc98c5d2d375b8a4feb488c011554b609b07421a3044e
SHA5126a1a5bd557ee34585c16b54f1b4d25a6bc102bb180258a3be2211d260157613c233d7c3d26d4263587401f019e12c06d0743032c44728a9cb741c6d02c1dc0fa
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
f00dae0ab9f58ac7f5db8709be4123d5
SHA1e53b2fa9f904e58b9efa72cac72976b9c2c22fbe
SHA25624b9c95eb97497adac12eee95bfc17a1e0c3285199f04c0c0b1ff7b07cf02ed3
SHA512b6d5fa00c8a104f19197a3c59134b0304c0777cfa4cd12e02d23281e19a15d1d3f911a569ad29af2ac1ae00740a1c107c4af92811fc12a6cbda60bd86f86c470
-
C:\Windows\services.exeMD5
b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/2044-59-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB