d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe
Size

29KB
MD5

8047e01980f57b94e060c2c3929e9c91
SHA1

330320baa14045ec475348b72405026fee0d1836
SHA256

d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c
SHA512

8e2772edd79d1762161184a6a0fde3e061ca94901d16ed80636f4bfe212cd512ebaf1c4894a96246244c3e307c60a1c03c9f0c4170091609dfddd0073af43f22
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/l:AEwVs+0jNDY1qi/qd

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1284 services.exe

pid	process
1284	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3808-1-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/1284-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3808-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1284-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1284-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3808-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1284-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3808-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1284-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp1340.tmp	upx
behavioral2/memory/3808-213-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1284-215-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3808-300-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1284-301-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe

description	ioc	process
File created	C:\Windows\services.exe	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe
File opened for modification	C:\Windows\java.exe	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe
File created	C:\Windows\java.exe	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe

description	pid	process	target process
PID 3808 wrote to memory of 1284	3808	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe	services.exe
PID 3808 wrote to memory of 1284	3808	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe	services.exe
PID 3808 wrote to memory of 1284	3808	d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe
"C:\Users\Admin\AppData\Local\Temp\d735c134a1b214964dd6d9f95cc0ba010a24899b1f8a6baaaf0283cfa3c2f53c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\search[1].htm
Filesize
166KB

MD5
33bfabe2b2696e264e06d11e6c6c8aaf

SHA1
111953c4d115ec99f484ec8d56f0a18b6a436ce0

SHA256
c65253586426fe12f68e6885834b722819610f025ce99f958ae0125ab1f6d4cf

SHA512
5211e0a551d365caa197cd3b555ec25dc4a73c9af36a07e1a07dbcbb8c84493a3e11fae73f9a1366609fc49e35c8580cd953210d2cd5d6c220bab3e34046f5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\KV3MMEG6.htm
Filesize
175KB

MD5
36f36f7a1a1b57c067362ec808453e72

SHA1
55706d10dc7f3dc9280f38b17c339ff9cf53c3ea

SHA256
1576ee1fcf280fde193c2c99934c06ada48ed7aa40029ef90786ed71933a0bf5

SHA512
5390aafad69d8e26fd8de0e3ec8027dfe7baa44b39c3f3034dc217eb80f6b7c82a18f5836835f73bd9af23680439543808178ff4afd46167efb74da5e9e25e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\results[2].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\search[4].htm
Filesize
143KB

MD5
55636db16c0d38f60d05490ab6bef65c

SHA1
33be89913dd296273f322b7b3e824cdfa8c81b92

SHA256
f5cfe2577051d4eeb332ca09eed9a04673566e74100bf1f9204f453932196166

SHA512
bbd3f68e8490ce9d2f134f115213df7d18bfc48ed243530ae66974166614125c6a2be24a15951d0bbb35c58b40e9e91d173b51856e7d14abcac9931af293ed79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\default[2].htm
Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\search[4].htm
Filesize
129KB

MD5
b6a5df238d9f1af2f4fcf6a84ff06629

SHA1
5f3734de3883e882df562756149a6d65104d1838

SHA256
6b423c38b9c1f6a912a19288039b560cf184b6bf8d9d71c6738381dab39e3225

SHA512
0b26b3cc2af40a2ea21337c685dcca233b0efe8253c3bf52d17556b413f1b3c122a5ceae9030a5a6cdde67acec83913c544342f2e86e37e62bb36ffb8a0d6415

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1340.tmp
Filesize
29KB

MD5
de6d57764eec1596a2002616cb46936c

SHA1
38b442c523f715b8572e0344ccf600de32dd2e26

SHA256
1ab9545683362e0670302a1de32fcf7b05c58b8dca5357851e4d1a96fb171297

SHA512
997d8ff303c639f23cc98e79ed5accaed17aac6456827ced295eedc290e483a37f40c0872b28ddad1dc660b4c8dd62af2e50ea39f6dafff7194a42aca074d4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
c3ac6f2c5de50780e47732f2a9bb5f7d

SHA1
95de8fadcb5b4dcc9c241a4f31d3f4afa6074420

SHA256
de2d4e20e683b2e7ab4643e1210b3d590e661229751bef4c291a570533333999

SHA512
bd85a3145add8ce180447f872bf936800a325a1e2f50b0fe7e0b64544d6a4dc894226bff864d87104afd71421a2978fc0c13a520ddf9fc3ff2ae46f8c66dfa88

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
17653dcd9bc77b81b0ebc07073c0440f

SHA1
1f4d97d52e1a6ca8ea0ee13212c35450f61d7962

SHA256
0e714ad9b113d36dbe6993a81ab89043de6add4d30eaaf106b08b20115173230

SHA512
e2a21157015bdd19d0be292d75028cf5f79223b314119f9725efce692a11f913f3e8b6ea3891ec20cf6c411c71449ad28b2d7b9152b3ec001a1b342dac5f2735

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1284-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-301-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-215-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1284-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3808-213-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3808-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3808-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3808-1-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3808-300-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3808-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download