Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
mail.com.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
mail.com.exe
Resource
win10v2004-20240611-en
General
-
Target
mail.com.exe
-
Size
42KB
-
MD5
17fbc834b7ce83e295cbb7601a5a9899
-
SHA1
901b686e1ef9729764a1145da1979a7621cf850f
-
SHA256
004589df86e90096a63c78045cc7e1c328ea3863e904572dea5a64e576969b2a
-
SHA512
c722ab16c433e2af8de91118ef731fb6ee147d221cc7ed70a49cc2fb7db84b2138132ca7f213745274ca1e4940d468833a210c2608b19ab78eee4cf368d21570
-
SSDEEP
768:tdAkXGqv1GypfcHrk1DqAHNS/BHPmeWcTeYdC9VOV0rxAdeV1:tdAkXGqECcwYgw9PNSa0GQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3040 services.exe -
Processes:
resource yara_rule behavioral1/memory/2928-4-0x00000000002A0000-0x00000000002A8000-memory.dmp upx behavioral1/memory/3040-11-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Windows\services.exe upx behavioral1/memory/3040-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-35-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-57-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-60-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-61-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-65-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-69-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-70-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/3040-74-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
services.exemail.com.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" mail.com.exe -
Drops file in Windows directory 3 IoCs
Processes:
mail.com.exedescription ioc process File created C:\Windows\services.exe mail.com.exe File opened for modification C:\Windows\java.exe mail.com.exe File created C:\Windows\java.exe mail.com.exe -
Processes:
mail.com.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 mail.com.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 mail.com.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 mail.com.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a mail.com.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
mail.com.exedescription pid process target process PID 2928 wrote to memory of 3040 2928 mail.com.exe services.exe PID 2928 wrote to memory of 3040 2928 mail.com.exe services.exe PID 2928 wrote to memory of 3040 2928 mail.com.exe services.exe PID 2928 wrote to memory of 3040 2928 mail.com.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mail.com.exe"C:\Users\Admin\AppData\Local\Temp\mail.com.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f916df4ac2de8197b92784120c07a0f
SHA108d6b4054bc65ae2b48d49941552692f17026cfb
SHA256960505efcae00e3f5032bf4d9cec2e4bf78216eb476ef18c787abdbbaacc6a8e
SHA51236215c9c7a012b2e964aa7fcd0f8620873d117134ae2ce4a560da899ad86d7e6544f9bf6f244adc7b9c103d663dd646897c0ced7df7b49de0db131bc96e579a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0fc093691359014eb685eba189b88fa
SHA139c9a4c5501cf503b14c5106668d991ec16f0e6c
SHA25640a00caa766b0e54439290d48724b8f106e6e77c1918161665a7b18e67a5b980
SHA5124b7f927ea31b366c7cf1699ce3a5e6a24f854ae635d7b2c3c2ef6af152ebe3df86690f0d7480c16238a4c52d3dd7f1bdb73a3e16b5d7059737138f400a853d31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aee93d32e4dbe056604f602565f7d1e7
SHA106edeb2daa8e9e063eaa57d870e75ab1678ddeb0
SHA25616077dce93470b57693399ad1f679684d1f09aa371d266d49a74a93f95943cb8
SHA5126c530915a316abde5b700cec95c020eb97458af4bc2f258be293fba06f88b6f5471dc4244a0b3881746b0c1b3189947962faf4d2567ba7774e5d2ef7c6c5c16e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dddf02217db65d62975dbcd26f861cec
SHA11d5d7c939de1149bcc9c57b9cf41bcb1eaef42c9
SHA2560a54eb0252f7f118b5d103eb41b64b99814bfdb3c144fdaac62ab0cf3f3fb9b3
SHA512bf1a625d4e7e641f142a98275f8033cfb0533be7a4fb3b7997c36300a324b25347d5cde10509e12fb73d70b3a7ac6f90c51ba08ee273550a550155ba3720e7ff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XHJXO3H\search[2].htm
Filesize198KB
MD5e9a83c9d0432dcead5b5129d60aa32a0
SHA105dbd76e0a23cbd362d5dcdcee04c8bd3515a1bd
SHA256a15759ba786faafadad929d8b2ed3b3a4035bcf06635dbc1eea17b265c6fa0e9
SHA51233d8d156f5d78daf3b1dcab734328c68b6804c2bd9de8e175f8e26bab2f3e190e4ac256396d7fc1281b2526a9c4f5a0730c9fa02c5b9d214c5bdd5010f08a6fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\1H5MT983.htm
Filesize176KB
MD568c5ae5388dc84927547a7b1ce0302ee
SHA192f7b583247fa469b306c9abf576d2ad8e863581
SHA256391e017704beb75af96272ed03c0996aa59324749154b8a39d2e921e44a30543
SHA5120c6df60603ad67b14628dca727218ecbd9805df3b893dfca6d3ded2fcc9fa675b7c8616aba67ea047857f23a6767d0b66173e39a290aa7cf89d83687c200153c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\752DO4KN.htm
Filesize176KB
MD5c8e6e9a9b492ef1a9edf62a8322ba16b
SHA1744e51969fa764666f293ffc730712fcb4f78940
SHA25697884418aff1bdd4218f0084f42e21bae87e0a94e38bf39d6ec01a31e2741825
SHA5125eb38b83f46c9c965389f2dbef61d529b7910db8a34eeb230afe388267d3509cfa0769d008fc64174644d0b1943107fcead36e76700d3eea18b9ae34467ec474
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\search[2].htm
Filesize25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
64B
MD50cdec7b2d6f58d1c60938f7ab614dd06
SHA13cefee937e7ade84c8c6f204a23a1dc924cc0696
SHA256efcf00f54aa93fce07a255d5011d8fc18ea7dee02e2a0d7004fb0f3bfad29695
SHA512707e9f7fcb423812652c94837d38cc089b51ca42e00d303d77eed3600b862088814fbc620b27cb044e9203f9f82e27cffbe0af387efa65481f28e7204b91f92a
-
Filesize
42KB
MD5c8cd9d84fd442f13c12f10c27925aa9e
SHA1a30b9806b2d1ad25f263b09df864d2d525738bcb
SHA256b6c0347da892e9578a2321081e1b2cb57b87c59396a56ae296595dcfb7d318ce
SHA512d6d3cc6c86620629953e12087ca145de63f1f1d28bac8830c9d493aab4fe024698714aab2eff5228aff6920f1392881661bf8bcb2373bd854d358192881698d5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
96B
MD5d8232cda5c93545c002970633208dd47
SHA1983b4f847cd7b976c7434643f75c0d3d59bdab62
SHA25683dd07006ea621826c051d827693e074bc4ab1102bb85c50b65eda68bb6d2de0
SHA51236a886e9ff54e27b9763d2b8e2ead3ac554fddcd7dfdb0c21920f430f7dda72b42e947885faf75093881c7363a69ed66dcb70f603cae30f986a3b9ad1145da71
-
Filesize
96B
MD5ee35fb9a9b389c1f30b6bad211c8b0b5
SHA1364148ff042974eabbeba02be9beee96bc12c854
SHA25635a4ad2cd3911067c594085b4d0d0b408cfc0344282f561e0cafd691135888b1
SHA51234c0fc29c1b8de78c73039331f7ef9c1c98289a7b488357e13a1f710a58098c3bcce3aee679ebf0f3fc674395c77b9f640cb5671214418d191d0839118c3bdc6
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2