c4af8ae7f238af114538b7706ea95b97567fe661519d1510f951930b074ad948

General

Target

text.txt .scr
Size

28KB
MD5

9b4b22e11a0531f44382e9031e28742a
SHA1

d7b95d04f4a7aabbf96f7d492740e55c618fc9ad
SHA256

f47c29a4a7756b6635363f5e520a2c4b638777705580217d9d5ffb48ae4d7cd6
SHA512

5a851bbf0bad740a2a6ee08bf5fc606ea308522e158bf9906e7086c4e4b8fa9ba667e46abddf5052f11153eebf970dc4b8fef7824aae910bb127e8b220f2f9b8

Score

10^/10

persistence spyware stealer suricata upx

Malware Config

Signatures

suricata: ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm
suricata
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2044 services.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

C:\Windows\services.exe upx
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2044	services.exe

resource	yara_rule
C:\Windows\services.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

text.txt .scrservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	text.txt .scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

text.txt .scr

description	ioc	process
File created	C:\Windows\services.exe	text.txt .scr
File opened for modification	C:\Windows\java.exe	text.txt .scr
File created	C:\Windows\java.exe	text.txt .scr

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

text.txt .scr

description	pid	process	target process
PID 1072 wrote to memory of 2044	1072	text.txt .scr	services.exe
PID 1072 wrote to memory of 2044	1072	text.txt .scr	services.exe
PID 1072 wrote to memory of 2044	1072	text.txt .scr	services.exe
PID 1072 wrote to memory of 2044	1072	text.txt .scr	services.exe

C:\Users\Admin\AppData\Local\Temp\text.txt .scr
"C:\Users\Admin\AppData\Local\Temp\text.txt .scr" /S
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
b8d8ef87df705dfb8b498ea84cdf7f2d

SHA1
dd73c7bffdfeb0b6e5bc6beeb7f66975d6a02646

SHA256
3fb6671f796ae4fc9a51f1c18c4c5dae60dde289ef458b970061d2b63ceec0da

SHA512
a3c3e1e5ca741e23c84158b1560fb36ad1ee5cefce7271b5aeba523c663a793b7797e6e1465c5f10c8c7d5e8d3840496a91ff2e5645da72b0297d06c2695de9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
dc0818a0f1aea2207e0a6e7d1c2deb74

SHA1
68bad99fd1e599bd585924c35c018131b9b81a12

SHA256
8c2a52051c898f49d66cc98c5d2d375b8a4feb488c011554b609b07421a3044e

SHA512
6a1a5bd557ee34585c16b54f1b4d25a6bc102bb180258a3be2211d260157613c233d7c3d26d4263587401f019e12c06d0743032c44728a9cb741c6d02c1dc0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
f00dae0ab9f58ac7f5db8709be4123d5

SHA1
e53b2fa9f904e58b9efa72cac72976b9c2c22fbe

SHA256
24b9c95eb97497adac12eee95bfc17a1e0c3285199f04c0c0b1ff7b07cf02ed3

SHA512
b6d5fa00c8a104f19197a3c59134b0304c0777cfa4cd12e02d23281e19a15d1d3f911a569ad29af2ac1ae00740a1c107c4af92811fc12a6cbda60bd86f86c470

Download Submit
C:\Windows\services.exe
MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2044-59-0x0000000000000000-mapping.dmp

Download
memory/2044-62-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads