e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe
Size

41KB
MD5

ca6fabbe2b8cfb98acc3695eb2f73883
SHA1

203d7f8196d2c1d62db78f5c1a00acd857b56fe4
SHA256

e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42
SHA512

93a3d1d2121e7667850e681a3627091e6a5a2f2968d5af0cb332c583680459263a04e4be91759914b793efc9444b5391fd422d4a68f943217c734320bb54273b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4012 services.exe

pid	process
4012	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3532-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/4012-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4012-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4012-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4012-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4012-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-31-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-33-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpD389.tmp	upx
behavioral2/memory/3532-173-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-201-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-202-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-203-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-204-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4012-209-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-268-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-269-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-278-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-279-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-283-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-284-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3532-354-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4012-408-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe

description	ioc	process
File created	C:\Windows\services.exe	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe
File opened for modification	C:\Windows\java.exe	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe
File created	C:\Windows\java.exe	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe

description	pid	process	target process
PID 3532 wrote to memory of 4012	3532	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe	services.exe
PID 3532 wrote to memory of 4012	3532	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe	services.exe
PID 3532 wrote to memory of 4012	3532	e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe
"C:\Users\Admin\AppData\Local\Temp\e02531934e0e658d6b349d1af9e4cc0dbb0da5e5184b8a17ac45320022031b42.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[7].htm
Filesize
130KB

MD5
a07372341146e47c704050acc0725776

SHA1
976c647f9a78c9e3efdc6620882a6bf85b74ba7c

SHA256
991716c7784786862d378f22b2b787f17cb291464256ee8c9075f8cca6902478

SHA512
cf44d77495bb84ec002b0feece09e2cef347a6a93279f79bb960bc3f2746dccc4fab659e2b2044e11fdd42c34f9191c5413ab967798d5528e1e9fa0f29ee126d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[8].htm
Filesize
137KB

MD5
703662d2f6c3a5bb337c6a0f79e5c95f

SHA1
bad6a5750b3279b51dc952ce2edff8a5f1d5e52d

SHA256
802e024d3bf0dbc9e3b6a0603202ce58370350350bd154f89dcefa115035126c

SHA512
070f71c05d2c1c6b05ab5cb14f26fb2cb26f5b942945af7e93b187c34e270048509d2c47f553a7b3f25e5985fdc031ff1b9fb26f9ab4cef683fb9289cce0dc8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\FA697SRO.htm
Filesize
175KB

MD5
c834b03b9c696a5d983327e4bfdd6aa2

SHA1
ee33734f77ff334734deccf5bf47a2c706009b22

SHA256
64cc139dc101895f50ae8cf2c2ed433aac41de0fb960e30b2787503e2694a560

SHA512
ad9d5ce84c79a68f52313dc9d8951524c7e12b030b40b79a75fe6b748c5913c237b340217aa6364c6a5cbcf9a47d524186a317c5446c73eb71c36c3d296bb466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[3].htm
Filesize
114KB

MD5
f8264d0b204804a4adf7baf789dffe5a

SHA1
cc6aecfb0ec484ea533ed939341f2f11b2080e62

SHA256
73126b0936c5f5145d45d21f218392975c5ecdd9cdf9bffd9f71ea13fa746135

SHA512
ec949a3eef232536b29b60678e27bf3480dabb7f878a06010aa1be3b0e8f657ed377239e96c63dfeeede5c0ef657d2d9f636664029eee9d103fa55717e8b5ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[5].htm
Filesize
164KB

MD5
a4ed6aad96803395aa5c3b0b86b6957d

SHA1
069dc69c7a9c8d9482483a06a3ee7872f065cec2

SHA256
cba4e88e0a00a89a5cb59f221dd4fefdddf64a10de2b8c2b134f1fad581777e3

SHA512
11e15082df7227d47cd8e234af14135d23bb0f433e656889bbe4c2608ca95b0e1944b07ba16f2df5f51527aaac39ecbb95caba7116e41da10d8558f7d4588788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\results[6].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\results[1].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search5BX6X0CI.htm
Filesize
164KB

MD5
88e35f8169f98c09277df2aab532dcf3

SHA1
72a8ca3a1d4b49b05518c4bb273feb50e3735e29

SHA256
d5373c39ff555a47bdc94ed631b38de1a492d3d39fcd188c39751f9eb49db3a8

SHA512
04f8997211f877ecd042ccb5d47fd9b17b80d4c6e44f6618ea1b487ec9c0c040307e9bc0c84ed7679ab0519618d54dc1451e07bb3934c604162fa0402f499272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\searchKAJFOKP5.htm
Filesize
114KB

MD5
0b5122de8e488e7fdd9e68c246edf4b9

SHA1
1a0c3bdccdd1a113be5990fa523e5acee5d7bc4e

SHA256
5cb696b852968b49c24480970e0eb44ed54c75432a442f5e96bf67ce6bb5d85e

SHA512
709b150201833448174bba6ab05bb8733635d0afac9d85beb05ff3494b763a1ec5ad947e7df72a9af2bf7169f675858acd2a4e05cd8fd67c25e8e635c91e65f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD389.tmp
Filesize
41KB

MD5
570ff8dc056d9e8015cf18dc31a64851

SHA1
06bf1b8e26b714527efc2e131a5d6e3c44fab6ab

SHA256
113fbde11a1b421932fbe2bbc00f330c130b6fad18e5b424b55b4b3a73ebe191

SHA512
6e96341064ebdf4a0c6e58a8955ba32f7adb2faa4545cf2977ee7f262a5044654813c0e8f2b29f1779f18f8089df2af678d3d25d11599dbdfc6a2f72353da208

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
86cbf613f4a5a532e65ee1d794fd36f5

SHA1
5b6c5561d82d89c989899d39f8eed2eae1b97e10

SHA256
727e947bf9b715eae24cf46289610ed822b3509abeaeb6f9363a0276067c52b1

SHA512
d0568af90d118a8e5ca0c65de86885a1018ccf917803ce8b56a37b1c2c49b6a9f5b862b1e69851124e833df1557d1ef2300562603fafbfcaa9966592edab07c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
0d1cbf2b2583c4d19d0c7ee843756aa1

SHA1
a44bb43fc4b6467223408c5cae3ea07401cdea0f

SHA256
5d5d0a3d94d44597cd735a01be68cf9b8e37b005c786acd5c13ced58ad605a86

SHA512
233a7896c3e18a38933f984995a73212728875e1b3d20744c2b10038f88a0d9b43865ed6978eb5f20cd74e7cb905364b9f9d7f0dd2be683b616fb78b54521e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
0afa68e784819ceea819a74273e2d3b2

SHA1
06f9d9f030a2a502741795976f568d8128dbc790

SHA256
4f831936e19ea53dca701b523c4cb392cb6583da9422027dfff555bfc836ecfb

SHA512
f441ace44d417edae4e29aac2b569eca55fc720f70c2cf018087b724a6bbafc761eed058b65e48693761ee4fa701a50d4fae7722e8bfeacbdfab796f1f460e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3532-201-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-268-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-173-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-354-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-203-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-31-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-283-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-33-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3532-278-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4012-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-279-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-284-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-269-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-408-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4012-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download