71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe
Size

41KB
MD5

9a7495ed4fb5fb5ec99d107ae814b9c3
SHA1

76a0d3dcc1716567eb9db0e11c0d74161ebfed65
SHA256

71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2
SHA512

3051b0888132a5567f9b8a0a21a7cd244e6a28ca4b1aa0ed81dc30336928db91b7a8e603d05d1b37aa5033c34bdade84b16ee670f06d038a56e704280ebdbbb5
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1428 services.exe

pid	process
1428	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4232-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4232-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1428-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1428-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1428-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1428-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1428-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4232-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp824D.tmp	upx
behavioral2/memory/4232-151-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4232-275-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-276-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4232-277-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-278-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1428-283-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4232-304-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-305-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4232-306-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-307-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4232-310-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1428-311-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe

description	ioc	process
File created	C:\Windows\services.exe	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe
File opened for modification	C:\Windows\java.exe	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe
File created	C:\Windows\java.exe	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe

description	pid	process	target process
PID 4232 wrote to memory of 1428	4232	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe	services.exe
PID 4232 wrote to memory of 1428	4232	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe	services.exe
PID 4232 wrote to memory of 1428	4232	71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe
"C:\Users\Admin\AppData\Local\Temp\71caf3f27403713a3049e3e3dccd6d5ca9fd2c17b8caf7e2b870eab078e467d2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\results[4].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\EO5MCWPK.htm
Filesize
175KB

MD5
73457cf5cb1b30ed408cbcd6c76c83ad

SHA1
b604e8a9d544801b14843326c47eaef72b1c71c0

SHA256
cf8b199597e7c2adf6f5e96d5c38e93d140392277cf99f9979850dbb376fe28c

SHA512
b4f63bd38b2d8cd32ec212b7c5cb0e648629e3c8a3950b52f16e324e4f878a2c3b338bb60e6203a6c1a8973b9c1f02b024e74278a6473b3820b2568a14023491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\searchTKK7UYJM.htm
Filesize
149KB

MD5
7243cdd402f56c9be88b6aa3642f6ad8

SHA1
b2d1f6b964bbb1b6b8ebd38389bc774162b0299b

SHA256
788f77042b221dd8a150cc5e5642dde1159784fed748a75b3236258601a7f906

SHA512
7a1d84f05f2fa021cdd1f9d956982198cb0290554683d10129e2951329efa686dfd5826a16f2dff817cf83b71833f9161563a9a601723baf823aac2974767c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\search[7].htm
Filesize
200KB

MD5
86e21b1d2b53cbeff9e875c8f98dfb2e

SHA1
2ba50afc08f2a36859ac075c06f6898b3011d326

SHA256
dfecfc14bbfd97ce93e3cced47678744ca220e89e9ba10bfeb5f639d2c578141

SHA512
57f98f152c3db176024159bc1fb7d8d82d117fec45fffc02d090342647f57b887571616cae45b52ee1bf6dc2a803b761db2a1d8a638db944e4e9c179329fa3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp824D.tmp
Filesize
41KB

MD5
3cdf935c9f0835b8a8a8426813849c64

SHA1
90cef637d243c873227b2e91e80dd1bb26696c71

SHA256
e40a46570b283f04acc24215bf71ddb6ef76843bbacefc1cfe8df87734071b76

SHA512
ac5506cd151a0e0414b36bb7b5f30b882f80b10fc3f10ae5fa37b82cba128510cf24cc3f23d4aa68aaa06d686d5af623da15d260868996973e4ee93a97c38dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
c5eb5c1f164711ed257be3f287b1474a

SHA1
0766f063bc3796bc7e053d87df3c3461fc9d6e12

SHA256
2dc12f0bc5aaf33bcba0d88b30cec93ec79c31dc32427002497a3cbda5934679

SHA512
b809fcf1f815d39402f4fee74c114a6c1ea0b13ae6c236288c3c1cb4c6efcc9699a83b6f44d00422ddcfd6a74ed1ec7166307625fd46917ab2cd1a34d2207768

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
aa0e54f59f8e5756966ce82c35f14a0c

SHA1
350576516dfa064bd692fe1ff159d73bb9b06e7e

SHA256
2aa6d1de5cdb8df87cc4625a3a0df7886f546146fa5c40a86fdec48cf11999e7

SHA512
7ba9edfca68264d8e5091367460e626877e888bafb3f712a49a91d5422e0a441c7f901be47c192830fe0ee6b7866020e00859c136b91263035b2767c9a95ad2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
37587879c9062ab7d4e357c48ec60ab7

SHA1
732a5a0ea22882e321c2c2995850625a9806a5a6

SHA256
12c0f3143a1e4ccb3b05e784264d3efbea57c299e36550ad8593adc397accb71

SHA512
4cbd7c36964958e9aaffd9e9cbb5152202c741986e66f5402c0b275d791acfeb9caa36e5edf4f0fbcfe1e7fff85acbe604a62f56ba7c797eac7258ce8281ac62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
ad2eff3c3c35028fb05736838cc60424

SHA1
f065f2b85f90724702966ea58effa4fc2e96da3b

SHA256
2f066433c73aa528394d613682164da87fa4a4605af8d0ca614a73c053362d2d

SHA512
865ad46a4e9a8e853c05f20e7ea3c9015220089fb8fa03774782c87e83c8dfe2ab9dc1b016dfe3098bf1226276cc98984193bb0e3f514cc2cc48fb81b2cfb8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1428-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-311-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-307-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-305-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-276-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-278-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-283-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1428-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4232-277-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-304-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-275-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-306-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-151-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-310-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4232-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download