Analysis
-
max time kernel
1201s -
max time network
1212s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 03:28
Static task
static1
Behavioral task
behavioral1
Sample
text.txt .scr
Resource
win7v20210410
Behavioral task
behavioral2
Sample
text.txt .scr
Resource
win10v20210408
General
-
Target
text.txt .scr
-
Size
28KB
-
MD5
9b4b22e11a0531f44382e9031e28742a
-
SHA1
d7b95d04f4a7aabbf96f7d492740e55c618fc9ad
-
SHA256
f47c29a4a7756b6635363f5e520a2c4b638777705580217d9d5ffb48ae4d7cd6
-
SHA512
5a851bbf0bad740a2a6ee08bf5fc606ea308522e158bf9906e7086c4e4b8fa9ba667e46abddf5052f11153eebf970dc4b8fef7824aae910bb127e8b220f2f9b8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1832 services.exe -
Processes:
resource yara_rule C:\Windows\services.exe upx C:\Windows\services.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
text.txt .scrservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" text.txt .scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
text.txt .scrdescription ioc process File created C:\Windows\services.exe text.txt .scr File opened for modification C:\Windows\java.exe text.txt .scr File created C:\Windows\java.exe text.txt .scr -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
text.txt .scrdescription pid process target process PID 3492 wrote to memory of 1832 3492 text.txt .scr services.exe PID 3492 wrote to memory of 1832 3492 text.txt .scr services.exe PID 3492 wrote to memory of 1832 3492 text.txt .scr services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\text.txt .scr"C:\Users\Admin\AppData\Local\Temp\text.txt .scr" /S1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
fc75bf3e6e4f33ffe26691cb2993ba60
SHA1a83d5f43113a42fa0a0bb2bce9364ad3eaa5ee87
SHA256104634a5f94743e7421202969983228f8c2c50de67fa3103c17dbfcf16147176
SHA5126c4303774625fee35d5d3c5007513d66a42ab8d9abdc431329663406460ad8a4208564471778d509e6fc6b470fa2da6953be226b7824c08137ba9e0bfdf8581e
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
55ef06871e46705597b0c7f0a23cd4b4
SHA1e215afd48b65ff150ee38ddb6c67a9d3e3e71149
SHA256bc298e3104284e675c0ce4b5cc90c5f02a1c2d8f508f2b99c04ff5d2ab10740b
SHA512a22a029168a6d1b9ee489a757d2eb820bc714332dd7ea10640cd5a820b4c0fe8dea819b627ca21c0d758b319b655e4e7aaffd182f7253500d0abffcf31fda5ed
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
039158e1f86a67d4ca6f27b5a3e69d4e
SHA13946065a7314f538edc3dc163ac0fe01bcfb57c8
SHA256ea0c9d5d4bddbc573e41c42f8762f03878b5d36ec1fdf98f9ce286e9e55f9fc4
SHA512ce955da287710a51ba1717fda2c43927a8c827f4675593d8548138f3d02452801317c702758ec8550ef388a71ecfc8429e7c8965f74759e9b87083f5881e1f12
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
63a2f81147c1a985fa8e119b49309cdb
SHA153c25708dd97eff9328206ef020db9d907cfb614
SHA256beeea33c4a265132c8821eec30eb368e7348af68dc3eee80e52c0353d17e259e
SHA5126fdd281d7b25cff33cbc8383401d0fdc71dbf67def06233caafcbf93ccadff4598f463f189c0f4b9d9954364becc72121cb5378caa9df1cacf36bc4317578283
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
34bf9e22c466b38662373309a9f56205
SHA17b53edc3dabbb0ba16118f67f789d437c3e4d057
SHA256681708b0ba60647bf6a39bb94bfa4fd9ef82e94525e9771a39f665943411fc09
SHA512990b02ab690e28a3703d0789c26fc131fd0470985d1564fdf3a44ee86cfa40f12dc1d6d12f1e18ea776705f1a8882595fd580970f545f610c32484d2c7b14964
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
222e6c978c26cfb40177eb25e970342a
SHA18bdfbc006f5b483bb1c1825fe7c580b0b5e6a0ee
SHA25693ca11f9ce9d174cd141a2ef7bb94a416b830a30521e35e9d354b86e83782395
SHA5121b818943ce55ae299a53d839b8f66cb1eadde2330963d931710846068c063c0c507f38727006e3500667dd810335cd975ded68e5a0cc3a4fbb3d4f75845c4293
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
2c1acae2d89dd7f241ebd003e4b862d4
SHA1ce2a2eab46d977223c8ee287e40e22a64242531d
SHA256a8bfd70f09628494051c45a0c67834cd8165f7dc59bfd21adf69174b4cc9c7b5
SHA512b4b93176d8c152311a08f53d0f69d7b2e00ecad70834e71a7758f00511c537a4b7099713a8a79552f908b06e0d1447bd9cee0c209bad0ac8097639c8ba8579c7
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
f513f03fd1b77022dc6329efa6e4d5fc
SHA1cf32ebac306bd148ef2859f55a10c033cb5f3de7
SHA25638d93c0107706b31b57e3d4ebfb332b5cd011d599e8b7534f95a5be5f714f6ca
SHA5124e679a268893561240e55a70b791f50ca55c9871222a6d23034ae808549b68b356946e5879e21842e7353c1d2dbef1d78ac192f9a0f89a193e9386b683648730
-
C:\Windows\services.exeMD5
b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
C:\Windows\services.exeMD5
b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/1832-114-0x0000000000000000-mapping.dmp