Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 18:47
Behavioral task
behavioral1
Sample
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe
Resource
win10v2004-20240226-en
General
-
Target
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe
-
Size
29KB
-
MD5
e66c40554e68230d9ccabda317e35fc4
-
SHA1
f45d915705ecdc01a2c3bc08301d937f4df95ca8
-
SHA256
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0
-
SHA512
3e1d52bc7a3ad5bbb030b6d4d1ce0c8fe33b2b0daf0fefe66db693efbab2384a155a97bc0da993a4ffe154da494aad4186421cb6628e98c514a8d33b1dcbe75e
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9//:AEwVs+0jNDY1qi/qH
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4776 services.exe -
Processes:
resource yara_rule behavioral2/memory/5088-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/4776-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4776-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4776-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4776-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4776-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4776-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-37-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-38-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp3793.tmp upx behavioral2/memory/5088-90-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-180-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-276-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-343-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-344-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-345-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4776-350-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-351-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-425-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-496-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-535-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-601-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4776-743-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/5088-783-0x0000000000500000-0x0000000000510200-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exedescription ioc process File created C:\Windows\services.exe 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe File opened for modification C:\Windows\java.exe 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe File created C:\Windows\java.exe 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exedescription pid process target process PID 5088 wrote to memory of 4776 5088 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe services.exe PID 5088 wrote to memory of 4776 5088 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe services.exe PID 5088 wrote to memory of 4776 5088 0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe"C:\Users\Admin\AppData\Local\Temp\0d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:1128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
Filesize
116KB
MD5225aa5853a1b68b60bb6b77540978715
SHA1d424b844b2c003f5d370a7b13ac4fa72befb50b7
SHA256087776ec5929631a64708cf0942105e9bb61c4e505a709f00f280bc4763c7088
SHA512c3d1d8ffcdf54a488b455587abf5f7c842434dfa3e650247c9cfb1390e0be0e8e9392ef807450607e7f0c36ed88da60879d4233149518cca16f9646470d9c868
-
Filesize
135KB
MD5196e5dc89e4e07f927d665313a74ff07
SHA156ef49c194e6fbe9165153a71c1b9b5d1fef19ba
SHA256f93121ee891b9b597c7cc5dba4f6bae2d80108d148df696e4e3424e3b6338e68
SHA512150530ec254388faf44f240abb132847ef16082b048e4305f06fcafac20976aedef3b62d8df7d141c277bd23396c3523bd4ed305b0e42daa8cd1e7d4f636a4f5
-
Filesize
132KB
MD5497bf45d6398e17a552016d2fa2a7395
SHA1bead1690db9b516d55fc464bfe3435fcf6c51bd4
SHA256771e156e77686045276929b34775bd20656c25f7b399ba3957170a83506c3722
SHA5126a9faf6e9e412c306b9810f24e506cdecc0d13dbda6467ecb1832f18432a006f14f73220b99afa19175807d66628bb5086712e98c1e0e65f66c3e5476e07c60c
-
Filesize
109KB
MD5ba0f5e6a8c7784848a98340f0ee9fe09
SHA16caf6b61bc4a7f023542e7e2033586d4d0144ed5
SHA2560c6abcddbf64d914e8fe1d22fef8b3b2d69d12da3be8fa0282d1734d8812fb7b
SHA51228bd74a68efdc822ca5fcde36df38fbde1f139ad789c90da6709869154292354b6babf23541f950efed0eb379763c3d0664cfdb3034ee871694ee156b0cae427
-
Filesize
116KB
MD55179f4b82b9891e1f7f41de9f505a229
SHA13f7ec0fa79fc8c3ec38fa92c640c68b09b4f534c
SHA256b98b769908fb0a648c4d4b271a7df7bd6177f3cc3662f943d2dd0c28c71db0db
SHA5121e02340f7de4059118e2395291bbfc89166fbb6b909b337c42867d0c1329b42e112945accbc7cfca1ba4e0d81bc5328cba1f06fefde9728aeb1dca879cb425c0
-
Filesize
175KB
MD51396b12ffb339896b8979eebf8fb87ad
SHA1d6f22f4cdb4e77376da9890249730fd8a5d7d934
SHA25601a6997c08fc49df333451cee49251ecf00c2cb050c860374253d5bbed632527
SHA5128d39813f6c00b1be5755644a48dd5ed5ed9bd2cb0620604fc168f6bd08455d2e6ec890e9b747fe5a67ec5dbeda540dec485da23a37ae0dd9204817c11b39d42b
-
Filesize
156KB
MD534f61ca69ed059bfd90ea1d3c5dcb1de
SHA1a7b32eee0c8809627d84913360c35365a6575d70
SHA256be239f0b20cb6838f234add39103b8d8a3363dc1c8cfae1778975e2633d356ff
SHA512122370df3a2e17d58320ad2440501a4ba436762dc51556ddbc247beb8fadbdef4a4437219c0be7ab78d5c2bd84cc4d81171ea539f1a85c4a964702c6f3d067e1
-
Filesize
166KB
MD56dd123701ff1b8ada11be71531468edc
SHA19d133fb0c946b06aca06249241c0daa82b661753
SHA256291812d88a7cff5ebe636887880ce262e93b5b140458df33be607c5715605edf
SHA5122077206aa5ac039665ab69be0f79a8d079bec606f2d29daa08aab3788c948d883ee5d50ab25bc913d513fd9ce26a9bb3448176f20b1b390024b9967d12cd4f84
-
Filesize
134KB
MD52bb214aed4031cd8c7d068720ad84303
SHA1b21710c30e2c59727f2e1c3c75e1a43475715d50
SHA2569772d33753e8f1aa24c74950b1d12e80983e64e6eb8db5672c1622d33e3c1c5b
SHA512b839fecb30d5faa65ce8e136f3e400ba7623991f6ae5092144fb7b54dd6a7854ea1099a5a59d35634b3c8cfd1197f8ee10257ecd420e33ed2a4c5f96768251cb
-
Filesize
112KB
MD50cccbe3c5ee8bde4c5f0d01e359dc1c2
SHA1c52525b3d1d4bf618a673c741f357b938ab9990f
SHA256e1ca13ed87d48c64ef3a0271247ee6a5bd29efa7b4b145c90cdc3f9c17545764
SHA512d7d3d0411a5d3d5a59c6f98c32306499a4406d428d871e4d87ab80281a7f04343f2a4e83f26a8c6041ac262fcdd7be1759f464558ab23b93afac936f0608ca4c
-
Filesize
113KB
MD535adb2985ac605058228196959b614a3
SHA11df04fa1ed5905c3333523f37d1bf678bfd5bee5
SHA2568bfd89f0cf5617550c198e619ee38013a63c145f5074b2b5272b99ecfef21aa0
SHA5126b404defa9998f3cfd634ce688f23e91accf66e098634b697ecd66cf29b88ba805d8e03ef09bd4ee1b7c1976f58c681b9774780f4a6f4aa5f691d6608f6646d9
-
Filesize
175KB
MD56d19b685ce68dc3b33fb9c021f37970d
SHA1931c7a56422436c2db7f960b9857d0e230ef288b
SHA2567147d18256fbfe6605e7881753599fa91fb80d059634f6c069fd08b5d8608103
SHA5126990e6e369bb66708a8f70f9599a63278edcd18d267517f10a6c5a28dc786c1960b3c9e0b80c980269a74b0459e277d7a855ccf5ee2df9fa1330521d4bae0712
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
115KB
MD5e46c6e449798405bf59bf79e4a11bf13
SHA1071a75dfa211d9428ff7964242f4faf309607935
SHA25615604966215b427ed418147b46aa7c10c77d3f0f8db0922d03929ed08f7f0d6a
SHA512dbaedce9067e328d5f2f1330a58f2e05cb66149d2c57d6e2e7512d8974e026effddd6ab799bc5eae6f56cec1b63c7b0708d35900a8129fc2455165e77eb62a6b
-
Filesize
133KB
MD57a6cd5ce049396cf0d9f24711fd98fb2
SHA12b9ceb22491f2f6f7aaa51b393f964ddb4fe33d9
SHA25650d8836fe00e38b17832ecc53013604317ce6a171376c6a650a283d19e7124ed
SHA512558e780489314cb1e151e72cd2650101d7edcb628cc2765b3b9f090844ab13eb5d49d9e82f2fbff54fb5e1fdd1b627d06f01f254b6ca7e2543740d84583b14e7
-
Filesize
157KB
MD5dd7cd9c6596c69e59d95297ec400779d
SHA144d4ddca24d259945877295b97fa3b1183870262
SHA256d65560ad6b1cb15e332690ef27df42249cb73e75c8d4e25d6ddb74f6ba96da1b
SHA5129915c179a6b8a60e9acce928bcec4b1a15937626960d67d278b7c8800e266b6f402514999f3aee40fddd5a5c4020e55071e77f4da2a811ac106b3f4445f1d039
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
121KB
MD59f782ab92de2ef366bad11697e266279
SHA1c6d5e331a58a76551fae53b9b2174c4f1099f160
SHA2567dcc5ef561c16a5e8d25ba1040c2b1624eb54f88c5d3ef9294e665006a44facc
SHA5125a3921bcfd1ed81ecc57a9973d87452366d39f2c4cf81286e24e59d375c825032c5345510b4cb3bff379ad0dd2b91634f58fabaa8be2cc388c33d42b7a128080
-
Filesize
312B
MD55431b34b55fc2e8dfe8e2e977e26e6b5
SHA187cf8feeb854e523871271b6f5634576de3e7c40
SHA2563d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432
SHA5126f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
143KB
MD514d69e1ceb23b2cf54b0973a86123659
SHA17a9be0e238ca2d7804761be0201407db10674880
SHA2560103cd3296686e68d565bcaadbf8c3279c7b3daf3eb1c14ba50ae83641e9cacb
SHA512bc724b72bc1fbd0a502a790263e9c8fd54f3a129cb4673babc6a38af684b33a864e7785ee3d2dae3900fddc348f6e522429b216fcf9d36d85456c22a39d83367
-
Filesize
117KB
MD55a8d5a92c9886f76204f130f0403f947
SHA14b391fecf790a04da7cf4174349561ea37fc608a
SHA256b70b0c4bc9502ee6499b8ed55af1a5872e14f098859a95f4b99ee0b32637e8e4
SHA51251c0f5a3e9334a3c1c31f016543a50597dedf77c7fc090b28c85d06bec6a790fb4349867b28279293cf0e12cfcf751debb57508e2142254d2371f97957a451ec
-
Filesize
29KB
MD5e66c40554e68230d9ccabda317e35fc4
SHA1f45d915705ecdc01a2c3bc08301d937f4df95ca8
SHA2560d294b7c8870d93d62545648ae64d0090bf7899907952b4d0513975a165330f0
SHA5123e1d52bc7a3ad5bbb030b6d4d1ce0c8fe33b2b0daf0fefe66db693efbab2384a155a97bc0da993a4ffe154da494aad4186421cb6628e98c514a8d33b1dcbe75e
-
Filesize
320B
MD55c6e3e2bc0a6e10f2946d12ecc75e4f1
SHA19fcaa747e688d1918b6d4fcbe1b946e17552115f
SHA25675ee39f2d7aa7e04678d883a9f9371077457a068ab080b3e835bdff8453143ac
SHA512d1b5593ee090a690646b968539f4a6f34f0260fb65199bdac0fe6acd240cebf9a36cc95a87bdbe1b9abcd757672a1489db318c64f04205f7c11114bddd5749bd
-
Filesize
320B
MD5d5d32c53b3ca7ab9ed8d9620340d8b55
SHA10191aff9118e3aea01814829290884c70f00196a
SHA256f55744bc3929e31d76d9657a0b9f51cda51358b57812e2baa1c859ad7daab0e1
SHA51297ccbc0ad9d0b850b5e05e1a3deba8b6693113e85674f14bd9c722d9c0e8f4a24cfa1e5ff2342a6a58bb38cca64f80d60e9b926946ee99c63e0bcaa9839baac3
-
Filesize
320B
MD56b7c7a76e0c08d2a51daecd278b6d6e6
SHA1743596fbfe739f45b41a77d867b3e907ec540a6b
SHA256722ff5cd0d6a4f62b6b4f53d7475078bcec06ed5a1886d4548b4645c1399fe1a
SHA51211336a596f30e52964c48a9a81fa4c966dc9265d751507c60f2ba9ead83f7cafe021291873805296598bf54012e2d68e7fbc5af3a56f52ee13c47cefc4919f92
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2