56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe
Size

29KB
MD5

1174d83b6711272583a4657d2eaf35da
SHA1

59accc0c80edfe7725229efd8f247760194bb3c2
SHA256

56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091
SHA512

ddb8827108899f7eba0787adba084bc4c316d726a153b8d2f3867adee6079e4a44dcb81611bc521ba906e72f802320cdebdb8db0d06b881d66a847c2996eec1e
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/9:AEwVs+0jNDY1qi/qV

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

232 services.exe

pid	process
232	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2928-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/232-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/232-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/232-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpB5AC.tmp	upx
behavioral2/memory/232-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-175-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/232-319-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2928-318-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2928-322-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/232-323-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe

description	ioc	process
File created	C:\Windows\services.exe	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe
File opened for modification	C:\Windows\java.exe	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe
File created	C:\Windows\java.exe	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe

description	pid	process	target process
PID 2928 wrote to memory of 232	2928	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe	services.exe
PID 2928 wrote to memory of 232	2928	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe	services.exe
PID 2928 wrote to memory of 232	2928	56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe
"C:\Users\Admin\AppData\Local\Temp\56aa600f91ddec886ae148e2291b19dcd6eac872d626bfe13637938652e86091.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1284,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\JHOO2D06.htm
Filesize
175KB

MD5
389458d5a6c785b87569ba20b46999c5

SHA1
ee6acbd0ffedfc377fe8ebd08324a0aab7a1ceaa

SHA256
313589c9f6422fb07a866e6af72a61b1a1a960ea1190d952f10e0f7f37ab1761

SHA512
9c82cc0a70661cce952257e00b02e06150f9c4265ef4d7859bcf370ab94ab2ca66082fc159ea060f68e5436ec72acba7ce742870d739dcae6c1ec3b3a08f3a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\results[4].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\search[4].htm
Filesize
138KB

MD5
f1060ce6b42118c0512d2a4f96a8990e

SHA1
bdba8fd7f441a31d8ffcef0ae967fccb47febf43

SHA256
f1a593f3ac1753ef56deed363bd1d26f38fb919a27e68d7bbec0a44f07498afa

SHA512
c0ac6d3b1ac55a42ca39ccef8131ba1c701937f2ba0a907429cbec04ce2870a9f0bd1c462d8b0537efcddb4d2de899d3615f962ae8aca811982e3b17ea9192c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\search[7].htm
Filesize
140KB

MD5
b10521e04a82775ef265f8a424e427e0

SHA1
df8ba00c7b820b46ae31917ec47abc28b3e2851c

SHA256
a9a89cdd1516ae1157157b07bf2675b37b03a899ce728719c5ba71b58b6ed4d6

SHA512
ad0b8d0cf41653a84cc1a295f41c9c14d326d793c2b6605e3d60c89b23c5d23c8d442d11a38aaee491d9a1e2d7702c0bc917a079cc959979ed3e611a626da0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\searchP80N7Y3T.htm
Filesize
138KB

MD5
1ea99a23022bb9fb461f61b5a4b57d52

SHA1
2bc40081abce532ed876237f76f02fd4af243c4a

SHA256
5793ad12c40af42154046a0180dd88088ac01ea068a3ae4d56a97e6b7cdf7da7

SHA512
f449af7d80682cc9fe82dea63da5fca6c2450b1f3efbad45f7855b7372f1006288d05938cf7a3c445a8590a3e11d69ce2206536f66e3339683902ae83f5dcc02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\search[3].htm
Filesize
130KB

MD5
50f68ad828d318f6d7b4e0f959bb6f11

SHA1
86914b6f26f8f5c7275184fc2f2f8e7e83072d4a

SHA256
aaea97dbe1cb34467e9c84a6a0ec0780643c38e77968b5e0f390546e242323fa

SHA512
d3b8744e29badb21424c4e463d623df34f61264efc1615df2243719845e29bd4b8ae928f1c4c1e8e6eb6599a8666d33dca44cade2363ca4e65f0465f1bf9c3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5AC.tmp
Filesize
29KB

MD5
345ce894912faf8d40f923ee733a5ac5

SHA1
f19e9dfc0cf6f5b3ee86264e450f29a1f14e0337

SHA256
d368b336de639c13aec0364817108f05d04f5210105f166fa5b3c704a812dc80

SHA512
4100af2c4c2ca92271e479e665f7d7264b7664cc4313cd8c5a1c874532019a79ef26081b31cd127e6bc96942f62a1d82cec6a0abb1ce4abcbae0d8bed1c6cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
749f0e94981a5d59c5338a7d302ad3da

SHA1
115a9736163805f8e9aa20e37e79530de363ebc1

SHA256
006d202ee110b1f69310d6e9ad34b3e6f0b16d957a21418e81df02e0b47b9b84

SHA512
847d467dd5dcfc40898b310cb74bc89da944b98a8a60de8d8bd2e9210b0715e3832835c197c9831fc59851349541f1604d208de648d0dd62fa9afe8d660bcaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
0708fcea98740423a9c4f6f970ef4f61

SHA1
62206156fd8965980e20dfde69465763e3f734f4

SHA256
87729ecd7fdc163e815c896daa6d25a6709883bd11d6bedf80f91a08ef97ccde

SHA512
27c9fe7f422f9d790318e850cedca8066347465c817d5fd68b890e17c9939cee7c3c6f8f0387ccba8c718b34b9f30ccf95e5ec16d1343b5f2db5039085de2b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/232-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-323-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-319-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/232-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2928-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2928-175-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2928-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2928-318-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2928-322-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2928-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download