c4af8ae7f238af114538b7706ea95b97567fe661519d1510f951930b074ad948

Analysis

max time kernel
1201s
max time network
1212s
platform
windows10_x64
resource
win10v20210408
submitted
27-07-2021 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

text.txt .scr
Size

28KB
MD5

9b4b22e11a0531f44382e9031e28742a
SHA1

d7b95d04f4a7aabbf96f7d492740e55c618fc9ad
SHA256

f47c29a4a7756b6635363f5e520a2c4b638777705580217d9d5ffb48ae4d7cd6
SHA512

5a851bbf0bad740a2a6ee08bf5fc606ea308522e158bf9906e7086c4e4b8fa9ba667e46abddf5052f11153eebf970dc4b8fef7824aae910bb127e8b220f2f9b8

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1832 services.exe

pid	process
1832	services.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
C:\Windows\services.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

text.txt .scrservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	text.txt .scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

text.txt .scr

description	ioc	process
File created	C:\Windows\services.exe	text.txt .scr
File opened for modification	C:\Windows\java.exe	text.txt .scr
File created	C:\Windows\java.exe	text.txt .scr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

text.txt .scr

description	pid	process	target process
PID 3492 wrote to memory of 1832	3492	text.txt .scr	services.exe
PID 3492 wrote to memory of 1832	3492	text.txt .scr	services.exe
PID 3492 wrote to memory of 1832	3492	text.txt .scr	services.exe

C:\Users\Admin\AppData\Local\Temp\text.txt .scr
"C:\Users\Admin\AppData\Local\Temp\text.txt .scr" /S
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
fc75bf3e6e4f33ffe26691cb2993ba60

SHA1
a83d5f43113a42fa0a0bb2bce9364ad3eaa5ee87

SHA256
104634a5f94743e7421202969983228f8c2c50de67fa3103c17dbfcf16147176

SHA512
6c4303774625fee35d5d3c5007513d66a42ab8d9abdc431329663406460ad8a4208564471778d509e6fc6b470fa2da6953be226b7824c08137ba9e0bfdf8581e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
55ef06871e46705597b0c7f0a23cd4b4

SHA1
e215afd48b65ff150ee38ddb6c67a9d3e3e71149

SHA256
bc298e3104284e675c0ce4b5cc90c5f02a1c2d8f508f2b99c04ff5d2ab10740b

SHA512
a22a029168a6d1b9ee489a757d2eb820bc714332dd7ea10640cd5a820b4c0fe8dea819b627ca21c0d758b319b655e4e7aaffd182f7253500d0abffcf31fda5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
039158e1f86a67d4ca6f27b5a3e69d4e

SHA1
3946065a7314f538edc3dc163ac0fe01bcfb57c8

SHA256
ea0c9d5d4bddbc573e41c42f8762f03878b5d36ec1fdf98f9ce286e9e55f9fc4

SHA512
ce955da287710a51ba1717fda2c43927a8c827f4675593d8548138f3d02452801317c702758ec8550ef388a71ecfc8429e7c8965f74759e9b87083f5881e1f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
63a2f81147c1a985fa8e119b49309cdb

SHA1
53c25708dd97eff9328206ef020db9d907cfb614

SHA256
beeea33c4a265132c8821eec30eb368e7348af68dc3eee80e52c0353d17e259e

SHA512
6fdd281d7b25cff33cbc8383401d0fdc71dbf67def06233caafcbf93ccadff4598f463f189c0f4b9d9954364becc72121cb5378caa9df1cacf36bc4317578283

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
34bf9e22c466b38662373309a9f56205

SHA1
7b53edc3dabbb0ba16118f67f789d437c3e4d057

SHA256
681708b0ba60647bf6a39bb94bfa4fd9ef82e94525e9771a39f665943411fc09

SHA512
990b02ab690e28a3703d0789c26fc131fd0470985d1564fdf3a44ee86cfa40f12dc1d6d12f1e18ea776705f1a8882595fd580970f545f610c32484d2c7b14964

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
222e6c978c26cfb40177eb25e970342a

SHA1
8bdfbc006f5b483bb1c1825fe7c580b0b5e6a0ee

SHA256
93ca11f9ce9d174cd141a2ef7bb94a416b830a30521e35e9d354b86e83782395

SHA512
1b818943ce55ae299a53d839b8f66cb1eadde2330963d931710846068c063c0c507f38727006e3500667dd810335cd975ded68e5a0cc3a4fbb3d4f75845c4293

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
2c1acae2d89dd7f241ebd003e4b862d4

SHA1
ce2a2eab46d977223c8ee287e40e22a64242531d

SHA256
a8bfd70f09628494051c45a0c67834cd8165f7dc59bfd21adf69174b4cc9c7b5

SHA512
b4b93176d8c152311a08f53d0f69d7b2e00ecad70834e71a7758f00511c537a4b7099713a8a79552f908b06e0d1447bd9cee0c209bad0ac8097639c8ba8579c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
f513f03fd1b77022dc6329efa6e4d5fc

SHA1
cf32ebac306bd148ef2859f55a10c033cb5f3de7

SHA256
38d93c0107706b31b57e3d4ebfb332b5cd011d599e8b7534f95a5be5f714f6ca

SHA512
4e679a268893561240e55a70b791f50ca55c9871222a6d23034ae808549b68b356946e5879e21842e7353c1d2dbef1d78ac192f9a0f89a193e9386b683648730

Download Submit
C:\Windows\services.exe
MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe
MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1832-114-0x0000000000000000-mapping.dmp

Download