af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe
Size

41KB
MD5

51f113b51af8ad8944497a3889da6f9e
SHA1

5fb3c1de79ba2c0a458bd0ea344922fecfc93965
SHA256

af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c
SHA512

d4ce1e12b5678c23f92726b6dc266c33245fddb749ea4d37333d6a47280284e2e6094c87407566389dfe9c7e080cafb8905ab5da7d132806e73fe78aa0072f12
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2068 services.exe

pid	process
2068	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2980-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2068-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2980-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2068-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2068-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2980-54-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2068-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2980-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2068-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp239D.tmp	upx
behavioral2/memory/2068-247-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2980-246-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2980-325-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2068-326-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exeaf5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe

Drops file in Windows directory 3 IoCs

Processes:

af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe

description	ioc	process
File created	C:\Windows\services.exe	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe
File opened for modification	C:\Windows\java.exe	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe
File created	C:\Windows\java.exe	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe

description	pid	process	target process
PID 2980 wrote to memory of 2068	2980	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe	services.exe
PID 2980 wrote to memory of 2068	2980	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe	services.exe
PID 2980 wrote to memory of 2068	2980	af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe
"C:\Users\Admin\AppData\Local\Temp\af5265c6a73a8cd3a6bf67fdc79c18b3d2bd52c8fb95ee5af5f827e24b29519c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\search[10].htm
Filesize
166KB

MD5
94e129d77275013d5b068f97c487b564

SHA1
ccbd573b94c63e4d73fbc2ae706e36f9305d8403

SHA256
b106d1e8e18fa936a3cbbdb9bd4327f74a35b989f7bb91edd813b520dfd481b8

SHA512
bcdade7ff211f50cb5cfc3377839e5a945b51f396c1ab269b50bace302bdb939063eeacc41c8aac20453db7541cadf8ad48cdbb0747d5ac2d0da921caa01c589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\8P29XIJD.htm
Filesize
175KB

MD5
cc72b04aa8f0f48c4f7c93295747d005

SHA1
e09aaffd23ccc0f7c1676993370f9881b3fd6231

SHA256
9066ee4b46e4b8e79d546509e6002db7be95da3a616a2b65af08b13aebcb7ecc

SHA512
ca21c77fd4c2c17fecce89a4fd2e472bd46171ca2e0a51072f70d807c66b042f6200240a76490aad3a0fdca3651f6e800c04238334b050c616789b95c4f03d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\search[6].htm
Filesize
130KB

MD5
9958cf5100061375ca09a0f56e9934a1

SHA1
8fb8bb07bc6d48a752d8e905741fe927e5fe171a

SHA256
2eff48feef5a7c71dacce632ea48ca4ec3df9e2954c89cb8e9c1862b024bcca5

SHA512
07008de3e95c2e52afb543617c17a7ac78d21ec7ecfcecd06973da20015cdd5b2c394fb23bce1a5c0d71520daf1147f3106392136c6072a095c2fff61c12eddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp239D.tmp
Filesize
41KB

MD5
efa97b2e31526ccd171fb96a788956dd

SHA1
cc538b8b7fcdc56652fa56f614ac182c3fd2a5d4

SHA256
8944762b885339e5996f3afffe8b6617d96b4180f8004141e02b9b54f89f64bd

SHA512
7e64567e6a8a9ac892429d5ce77cbea2df9898ff9cc1cc843eedb8ce043f2327d28542bebd47c6bb2a97149ce9f7df5b3835aa4a87d27b94e0f0502ce149d9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCu4vn.log
Filesize
128B

MD5
e0c1837276c206401d864f79aabf5c39

SHA1
08a90d16dc694992085551efdb64824b8cb9bad9

SHA256
6c6194b831347f3e08ab76a3aa227a656256ea13c71f66341efdbaccef8cc850

SHA512
375592fa86ac1de90537cc210758b20094679974d99f4a0ac18473bcb108c0a3bbf4a85706a67a7fb6b6d51cc30da16e4e3fd27420ce34e8e7a9bc46ed5e2ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
3c8e176ab1600733e6d4599290244382

SHA1
a171b882f4ead69115565b07ca2d9c51333ae4a8

SHA256
9ade14e7d8c29ce7ae8367fd240b812827bb47150659a2aca0a4ca445b9c3bf2

SHA512
5370f6987c99ae1793c35d50a8dd16c7c6f43d3516aea7c1767bf8a071e6a39a20226dbad574bff004f7c0a3ed9eaccf4da59bb5d42f0fce2b6c1bd3c8a84339

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
31284cc0cb33ae8439bf16ca7258f432

SHA1
05af31118445a83cb7b08eebf31015da32fc95c7

SHA256
c23c39ae95b687378bb97d80766840c0cc0a21c7535faf81e753d5ccc08ec1e9

SHA512
f3afe41c685b23b6d29744847aa28170f9142ba8518c81a84737678744f04dce63356e21f6796a97a526e28edd0202643f1c98db3b8ea109590b2423a1278528

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2068-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-326-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2068-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2980-54-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2980-246-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2980-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2980-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2980-325-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2980-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download