Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 19:19
Behavioral task
behavioral1
Sample
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe
Resource
win10v2004-20240508-en
General
-
Target
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe
-
Size
29KB
-
MD5
4d83247af7f98fd81669ed48b84d3d37
-
SHA1
db0dfa8a3d85979a6600bcdcc95f55a6c864634c
-
SHA256
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a
-
SHA512
12b31af6af471a45fd61ed0bd67615e38dc131b39f16e780c341da16ce2bac0f9520a64cd7ebda96efa15f288aa9dfe430ce86c5fc9c3a6377e685ef6e212db4
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/TW:AEwVs+0jNDY1qi/qi
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 872 services.exe -
Processes:
resource yara_rule behavioral2/memory/464-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/872-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/872-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/872-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/872-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/872-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/872-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/872-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-42-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-43-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp39D5.tmp upx behavioral2/memory/464-151-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-152-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-283-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-284-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-287-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-288-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-292-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-293-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-337-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-338-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/464-490-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/872-491-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exedescription ioc process File created C:\Windows\services.exe 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe File opened for modification C:\Windows\java.exe 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe File created C:\Windows\java.exe 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exedescription pid process target process PID 464 wrote to memory of 872 464 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe services.exe PID 464 wrote to memory of 872 464 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe services.exe PID 464 wrote to memory of 872 464 183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe"C:\Users\Admin\AppData\Local\Temp\183d88bb9b02a073b72b7c2996c520b2ae7967b7decb50153aacef52a5d00e3a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1316,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:81⤵PID:1388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD586c41cfde33dd03ea167f87527f6d5de
SHA13e2756fa96586c0b40e436058c3371033170f032
SHA256472eb9933bbdbb8e6c63b9c1bbdedb9e285a6ae9d11793d0241550279c23e20d
SHA512efb6767947d64ad1bfa541d62adcddd1ece3b979af7b7df8a77e421814e89ea24b0f104ce9058181d584fcc951e313bf405d4b4b57be65c008f9870afd6fdcad
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
119KB
MD5aef6979eacf9421cfe28f7181c097419
SHA1cca604a8230e18efaaaa7e1e7ef2b4b8e89d38f4
SHA256d93d6878d4937c43b64544c27689515a69cf0f10c793ebfecdd3e7d6f7dd3195
SHA5120bb218dffc89f48aa18a3d0275a2d740f9f34d2336b0924bd7f75118092866960830a252801a6b6cb293f0951e09458981b8ce0fb8f2504c90bfdd3c7d137230
-
Filesize
102KB
MD5567412ee3e122d36140b8ed7ab147e3b
SHA1c356a104f8444fbe678fcbfa2a7acabaed290fee
SHA256d6a65879c00de49a5afbd8b001f465a635ea20af264f343052a42bec9cb31178
SHA512e37dd6a0ab444f0a0343ed0c1097723a2f1c7047b9f5ca1c8348340d68fc96508120c1ca59a04fad7df106ad74792768b14919f19c15f3cec2a8772f4bcde87b
-
Filesize
115KB
MD5dad2d0a7810df12b1e6adbb3f00ede74
SHA174c5aaea454019bd17aa6ac65571f400f79447ae
SHA2564ca83826dd50b118c6a48605a8b0ff469f21e7f04c1fee16f2eec95a2db71e1e
SHA51239698655d87f9a9fcf99eb3c15b3b41d54687f130fe505598d100a2799388b52183bf4c90bb3ab4517fbb7229a0b7a605cce4227344d5e04297b5d7e9b983e51
-
Filesize
175KB
MD53443dab2e901c3b82ce60185b5704829
SHA1da9802d89a7f9a9710de2c1a6f892ad9f6623ed0
SHA25661ba9d442be03f6d7c73db1dcc28c42f81bb224db7c688f3369f928b2fede39d
SHA512dac06be161708cd4394a9c0a674ac888f4213ddefaaa05e0736c92cad8d66eebe43f5e64f0b9d6627e7bc295dcfd00937980d2d56cf9e6c166b5bce955544de2
-
Filesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
135KB
MD56186dfce4f8891e93afc29cbc0148807
SHA1d1470208747bf1d1772c48236624a4cf8e3ae052
SHA256647eea2da1997b42aa38715f5cca62ba0ec4e58b878fc35c7399d6961d5998e5
SHA51282ce5eb7fa18dd009666744b5a0c657821d6f98ac418b0941d9e442592efd7638e09b1fd70f8c98ffcf11eda1b0efe84e0c09ac2b0b067501754b292e55e8ac5
-
Filesize
135KB
MD564ca89c0c0e10a67a2c6b722c638e209
SHA1eee21c4b6973480f8201b0acdc51ddf281280b23
SHA256a70d1c8e0125e21505bb4c2efbea3847d9f3e340260dac0e0ec46c10b5a4295d
SHA51209914fcc73dd7bd261cb501a8b9ee9ff2e0cf90a19d07c40ba77e96947ec91bc8bc83e6425f238f463abac1ffa28457d28665c78a7faeb913e619c751ad378b3
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
112KB
MD51c2157c36aa89e621af030196c6d642e
SHA158edda2778b377e62e93e1894c9ebef741d3f6a0
SHA256325f5be275552fa13baa6f87566837b775296ca3ae234a500aa8b0b7fee2972f
SHA512ca19cee374b8d07230a094f669d0820eb5130f391f51c580cff75df3f6b8fa79e15530be8c5b3f125c71e18bd7b7d3e8dcdb687102bc1d02f4c654d23100f6b6
-
Filesize
152KB
MD5b744c2f6d077ef81959c3b0d61eb6c20
SHA11ca4bfd15c04ea31ce535415eb5f35547d3a70ea
SHA2566e04a16aef4aa4f65fc956514320d59ff781ffa63416a9af6b4a595e27a773d4
SHA5125ece5e3c9fb0f470bcd74cbaad7ce71841f0ee2c38cfaf3f8cc2d4fbedde09b64df4c830f786f50ca679ea93902b59bece42527ccd39854df58b520811f31e6e
-
Filesize
131KB
MD59f1001bb2c021352afbfe4fc7f4ae9d8
SHA13360efebeabea3cb45088df1519f2e500a4f78d0
SHA256e961d9b70ecd531628ae0c444643592f653abdb47a6fad724521d4de4e5c294c
SHA512d1bdded562a5069a8688785c13b443d9e1308fc128655a0748972bee16be220edb6863dcf2ce055860410e1229d598f688640297771b7f8c9b5d0765fb237880
-
Filesize
29KB
MD52da1c6a78a157228f3e90d1ac8fc14f8
SHA13fe13d30a24fdae2b9444a6f44c0c974d313b31d
SHA2564c24d391afffd5a0e2eeff21e10152c348cd17dcdd132d8591d2eebb5b8734d7
SHA512aa42b467116aef6e036c84c8329c4bce059099321680e6c994ae1aebd13ba25b3ac59e33ada879853a3f6d331bbd5542537a6a51ae3b035c257e143568e2d201
-
Filesize
320B
MD5160931bf435887d8320cc453722e8ef2
SHA1e752fb820b7f6266bb2a864ae767c935c59f64d8
SHA256d4a2fe4adb3cb1039d89c5469a369ee9cd35200c6b090e2de88d4732237d1348
SHA512e78725e39317e25bcd72c13191bf5c9972cfe964f8a94b14e9d7357217e33ad3803f515eee49bf1d11ed26a4d4f2e16548e9c177f3fbc41348cf77f346bf2e32
-
Filesize
320B
MD503aaaf4ed319d6af621e4b52e242c202
SHA187112402a59916426100670d8b72d82668e4f032
SHA256db2dc20580522558816e278a109c0e073500308f909bae9622e2c470def2921f
SHA512a81a3b2c6964bb4b72894888b3e7703dfe547089f02fa41f0139314fdbfaa7a30d97e7978c843cc9e79ffd9a23b7779a9c17d23c959a7c7e9b802ab077fc2670
-
Filesize
320B
MD588acb459609a541b919bc712ce09a25f
SHA1e5169584f9c3185785d7b5063434ff26e1395ff9
SHA256a8ddd6fe8f41a3da297d45051c03010fc80a18396dfe6caacc22cfa22fe2dcd5
SHA51242399c841b475b647de214c63441957c03202cdfc37f9c6dc96a7091ebded113806ef7e804a951f3dac38ce75a208f6c07791be495d125639de5aea0edf8c13b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2