004589df86e90096a63c78045cc7e1c328ea3863e904572dea5a64e576969b2a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mail.com.exe
Size

42KB
MD5

17fbc834b7ce83e295cbb7601a5a9899
SHA1

901b686e1ef9729764a1145da1979a7621cf850f
SHA256

004589df86e90096a63c78045cc7e1c328ea3863e904572dea5a64e576969b2a
SHA512

c722ab16c433e2af8de91118ef731fb6ee147d221cc7ed70a49cc2fb7db84b2138132ca7f213745274ca1e4940d468833a210c2608b19ab78eee4cf368d21570
SSDEEP

768:tdAkXGqv1GypfcHrk1DqAHNS/BHPmeWcTeYdC9VOV0rxAdeV1:tdAkXGqECcwYgw9PNSa0GQ

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3912 services.exe

pid	process
3912	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/3912-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-102-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-226-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-265-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-269-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-270-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3912-290-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exemail.com.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	mail.com.exe

Drops file in Windows directory 3 IoCs

Processes:

mail.com.exe

description ioc process

File created C:\Windows\services.exe mail.com.exe
File opened for modification C:\Windows\java.exe mail.com.exe
File created C:\Windows\java.exe mail.com.exe

description	ioc	process
File created	C:\Windows\services.exe	mail.com.exe
File opened for modification	C:\Windows\java.exe	mail.com.exe
File created	C:\Windows\java.exe	mail.com.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

mail.com.exe

description	pid	process	target process
PID 3336 wrote to memory of 3912	3336	mail.com.exe	services.exe
PID 3336 wrote to memory of 3912	3336	mail.com.exe	services.exe
PID 3336 wrote to memory of 3912	3336	mail.com.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\mail.com.exe
"C:\Users\Admin\AppData\Local\Temp\mail.com.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\results[4].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\search[4].htm
Filesize
147KB

MD5
38052664a69635c2ab41194185527de4

SHA1
1971701cedc57805b6b06cbc68856a111ca9b90e

SHA256
b1833be83e4950cff83373b0f40ba2b1ac23e2fe1f4ffb7a20d5c70b052e80c2

SHA512
10d5eec16f839e46460dc833215344ff2c27773a83e685b6402353d4524500d7bfb99af0f0c2021e531d84216dadcd8b236766fedf981e475b04ffd4537b5282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[4].htm
Filesize
114KB

MD5
9d43630dba1417f437ea73e53fcf0b66

SHA1
c9203068a3a297014d5e3dde170b7de12a01a419

SHA256
f7a4b9d3c0274baec40f3f36679fd8bb9646831abe670b3c0ebc1971ab12d743

SHA512
142e8cf6d69aabf75b63d3562a363cb21241542c90a5e53314288c92fe5936fb0ecb4d695c8958c01d2c729c304e88ffdc14098dd52241b1efc5f973c2a866b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\results[4].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\PW7EA164.htm
Filesize
176KB

MD5
be215273b167ed118e1dd94c2b5cf2c8

SHA1
df3beac2aee2b574ab1f98a8d8b7fb2637070751

SHA256
3750bb5c92f10bf8950249fe232939758d931a03359f54449b299569d642cf2e

SHA512
9e4e0208cbc4b55ef147250d1f44a58d9721733b0e528819077fd66903094df411ba080b5b2ef22df73a6513f8ac1080b94a34b44d236b5bdf6980e996e8fdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CFA.tmp
Filesize
42KB

MD5
9d5dec5325818a08eb6e65b331f8394a

SHA1
fd243df6107ebd345f87e74bf825d1a7f2ad3b86

SHA256
d54cdd250df5a453edb790550295be6c940648f1fd64f36cf81b1f4bf6061acf

SHA512
12dc8b9d64a5cc345dda07150a9c65cb0c798c213d82747643cea36f4f2047991e95b6507317e83f2b2e4ac271a437662e5ddb70b36aeb941e8a7619c69f9149

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
96B

MD5
26a865d0e3705e9d6defa706d418969f

SHA1
ec72c9878d5283113a321275a73e82764a451ade

SHA256
9af9022702e5ef6d53bff6a33d7e65a1ffc13d9a63f168411aff411bbd4e13f4

SHA512
cb82876feb79b2e756af89dc7d24a2778c3daf1232dc3b424edab929ae87ed309bbaac555f00208653a919988c825473d1d9db681791b47038ad52922617ed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
96B

MD5
7cd7aab9f3b2db6a3c35bfcabc47f26a

SHA1
f06add4846c7ba9b17348bf30ed1e4ff83e96901

SHA256
9aeeefe0d33373b91fcf98d071b3c9be5c50bfdbfe6f00e3c5668985199e134b

SHA512
d5e7e7e56dc8cc36e6579358d77eef0cf386d0e6e6394be6579d7776edb425218796834abe51f28febde111a85626d84b3f11a4da865454f45de79743a3c138a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqqgfiy59.log
Filesize
64B

MD5
ef009cd26d6d91523a0d830209274e49

SHA1
eb3f39352798bb2fef06ce215d255104a71308d2

SHA256
696cefdffc5895b60b298eeba3d7c4276f85d4489e25db238984294cc470597b

SHA512
00644f5aebacbb5e2941c74f386e8672b1eeaf5532785170f3faeefb56a057a96fb2fc9921c4d239964a3c6aa9f81f73dee6438cd61383ba8e0fa5ac47368049

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3336-0-0x0000000000500000-0x0000000000511000-memory.dmp

Filesize
68KB

Download
memory/3912-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-102-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-265-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-269-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-270-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3912-290-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download