73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe
Size

41KB
MD5

212860a932072c9914054c63bac99d3b
SHA1

adb9a5a17fc893a556ccb4058a07c94c8651f141
SHA256

73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b
SHA512

ef8423f8d3defb40fb4345c4840199a77a024136d72fa13bc9da9c4b54c47826e2320f8eeed18b37a0932253704412f694bfafcf64fc3635bf2d8cfa6516ee21
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1252 services.exe

pid	process
1252	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4704-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/1252-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1252-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpE6A2.tmp	upx
behavioral2/memory/4704-76-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1252-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-197-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1252-198-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4704-262-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1252-263-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1252-271-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe

description	ioc	process
File created	C:\Windows\services.exe	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe
File opened for modification	C:\Windows\java.exe	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe
File created	C:\Windows\java.exe	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe

description	pid	process	target process
PID 4704 wrote to memory of 1252	4704	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe	services.exe
PID 4704 wrote to memory of 1252	4704	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe	services.exe
PID 4704 wrote to memory of 1252	4704	73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe
"C:\Users\Admin\AppData\Local\Temp\73527e375c46ef325a4cdfb2efadb6e1ecd2e01ee09f19b50b61dfde6edbaf4b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\B1TPXKR5.htm
Filesize
175KB

MD5
2741d39db0689fdecc1db920692a1b1a

SHA1
4e6f9cca6ccde1a8da3c27af78daf4b5c068a946

SHA256
f767058ee5686ebc2c02fbd5abb262012978574dc4a1d58ae9b61a3d6dceb2c0

SHA512
1d6578222094a15258063edb4d4e1b4868b8c6040ae5e5c03779069e126b22a27c82eea204d254a903585d8a90e6c3cfa62f18f9278c8290b623ec09b536c7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\results[2].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\RJWCOQES.htm
Filesize
175KB

MD5
02bb790a23d0b0f238724af01575a675

SHA1
4a15aaac0cdf683fb7cbdaccfb6618bd6c02e514

SHA256
11437743d478b7de277e77e45aa7f66abca6aacf9b57d25bd26fd4268c5e4d4f

SHA512
daba611962273b475aab58e6ba746458addfe285ab08c79c3f060a870c2ca2ddd4dc2d4f8e0fa11cd2cbf57f8ba68735395fc111aa5b3d5bacf9ea6076dc4553

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6A2.tmp
Filesize
41KB

MD5
698317c8d4e99272735de0c62b6e5b16

SHA1
ee5ad40aa600e67e62c6fb7bd5b9054bdce5a56e

SHA256
62533aa0fd7cfc9967e9e22d613861ed2d29d878aaeea81c693864ac6da94df2

SHA512
cab960ce193f90924aa4503fff0fd713836c559b408444b1a9cbfafdb556ee24763c9b8fda8ec36f5dab2406c7600173232b23ee1d4dbedab8f551c6573da33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
1413b6a5ed57f21d3c42bfc191408480

SHA1
ff0e5c6830a6403ec955e246d118b0087bec2188

SHA256
9d8ad1bb18f0723dd336123e1b361a282fda9deea5215d1ff81f078482430056

SHA512
91d7f0a5bd5b20192f8913c1fe620dd6eb323c95f9218fc1dd2a8ca574077752e03d719d0c270152e3ff10fdf1711194eb9bd57760ecbe1409f308fd9dee98c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
6543d6357274a373502b8dea7e236806

SHA1
1f1ac3b653a473e4b55e937aa8ef9605551a5d37

SHA256
fe901ee214364281377f44825cc37844c69472a619f931e1908914d4c81be959

SHA512
f38cb5a4b4a875bae229c1687a3868924d58794706fa57ee1f96df3a2ee94aa2bb3f98d4bd94ec02fb6b440bd97b83a5f5d364079f61ed80ee3df8f2279f98d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1252-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-198-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-271-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-263-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1252-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4704-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4704-197-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4704-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4704-262-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4704-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4704-76-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download