4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe
Size

41KB
MD5

f88e0fc96014be27c1e1cac4677637e9
SHA1

f6b1121f1252abb7998e8995c4282b4c3abb6248
SHA256

4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4
SHA512

a504ac9acfbfec594673ff66a929cf110fdb318b68cf22f49f100e4d9655ff535db770ba4a39d32df0b7866d61c140445f88ee403ef86c0b8421df6fcb7c669c
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3076 services.exe

pid	process
3076	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3676-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/3076-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3076-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3076-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3076-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3076-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3076-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-37-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp	upx
behavioral2/memory/3676-141-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-272-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-273-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-274-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-275-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3076-280-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-328-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-329-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-361-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-362-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-365-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3076-366-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe

description	ioc	process
File created	C:\Windows\services.exe	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe
File opened for modification	C:\Windows\java.exe	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe
File created	C:\Windows\java.exe	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe

description	pid	process	target process
PID 3676 wrote to memory of 3076	3676	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe	services.exe
PID 3676 wrote to memory of 3076	3676	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe	services.exe
PID 3676 wrote to memory of 3076	3676	4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe
"C:\Users\Admin\AppData\Local\Temp\4f3be96253151669f8a9fecb689089261b845b52ea250b7addd47f27d09b5eb4.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\searchXV7ILK93.htm
Filesize
112KB

MD5
110142c341e25ecc6b8d56a92f2bb697

SHA1
da0aef1ff90404699d768e46662a3a59cb97c306

SHA256
d7c8b135f4cff51b90588a758c422f2c0f6edf47248c2987b2b74786656ce064

SHA512
063b430750227ef288e0768050058323e417f92c9a93f6594e972789e393e3c41e330cb7a4230c2e8abe4fee30d64bbcdc615d8c2ea44266c6ed191608fc6975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[5].htm
Filesize
134KB

MD5
2bc91031d6ba4c53f9f291d412a507ce

SHA1
04ddfa59e2fbec0de09d2d4531c4437a0d56e4dc

SHA256
d917b029f7afd4e30dea3010fe6a5c610e034487a9bb62e80dec4da70a73fb94

SHA512
dd08c52f1b8c9544a041a4352893c119afd73a15ed4def2fd6cd087257d5c68bb9840072288f722ef5b0df12d2c476ca9f94efee649f69cca61dcefa37fa9eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\R4GK86NZ.htm
Filesize
185KB

MD5
a64ee2018604953b2fea917dabcf7dd3

SHA1
59f770861ba0d2687a95047135567914d18c0338

SHA256
a6f682e815e6b2be9256add5d90d67db9b8ae2878e3198b36c06f15b80545711

SHA512
eb83e961124a6bbcb2202e30179c45f136d21a4fc2362da9fd720f3e6365268622833b49bc3e0462d87c2e9b54a8c4a4594f7038334f5210483d26f620cef684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[4].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[6].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\search[3].htm
Filesize
123KB

MD5
3cc7ac36cee8e3b2e3c9c0fb7c065b9e

SHA1
ed4b54b9e4aa0d68042644a1931da12e95aa3c8a

SHA256
928901fca2be61a81b851491b6bad7ab5b134e1175ce4080a1c01b7a3d119b87

SHA512
a6b24d271872648b790a4e7d376921baf39ff233fd4646fac1779c81accdbf7f25e16f823b494e3298621023d149915cba0e9c677d83d86ecd3c7154161989f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[10].htm
Filesize
152KB

MD5
9c4563ab5adccd3666b4ad29cc660edb

SHA1
6dc30f2f9fdd22f3f226a9ccf8d0327fbd41b8e3

SHA256
cfe95a894b12b238d2d8393a6c79f230d00a3dad490de96eec0928591a2cd8c8

SHA512
a59f0633b02c59a077909785a10c78aa67f513d10c02fb6e788dd1ebc84c5cb204f54fe9d75f5458aac38349bb512adc52951dd7a85e461731909b3865dc60b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[4].htm
Filesize
127KB

MD5
91bbef10bbe92136988fbd7c110ad239

SHA1
7a776332108add36c1ff66e33fac8d16af9d47d5

SHA256
1b3b50f63b06f4cc58c3c631301bbcd3760c6f8d5f8a59dd187886fc422f6eb8

SHA512
c7de3ce8c7de1a51eee2fbfc1b2f61dbeb74bcb418a2d666572f11f5df0d23bc5bce14d0a41dd78c5c651abbbad66e4a8318ab2eb0dcf089f52631fd723b6ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[9].htm
Filesize
160KB

MD5
0fb6f0f3fcccb1251503e9df11a5a70e

SHA1
35f054ece679dd6f2b0844eb8bb6419bb5cb493a

SHA256
015e552ce88913b526c110b5dbc287b7dc8105945263e615ef012e2167ee4e25

SHA512
4d3244b62ec3e2376aef8710ec525ca4fa57572f06ec513b08de9ae370171ea9e1d03c60ea7f93c2cb9feb4e682d9b00327775fa033782f87fbc388c1b32f9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp
Filesize
41KB

MD5
4cb5b02b29a833adc64afa31dcbcf3eb

SHA1
a2a195e3605d21b49804a28093784cf2265ab65d

SHA256
ff8d54b1693bce3875552ba6ea07ee4e201c51a3af6f2de7b55d05ec19f71293

SHA512
8b12e6fe43f842fdd52a04235d75c8fd8adb9cce58b16bae98cc67c97769b0fa4ef1d88eaeab0cd31dd7015679f3abc9f7f6032f2b7209fbfdd5c63ef4b2916d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
f9c62b868a0c994652bbb54775086ea3

SHA1
6a25d57d4576c5a27cc64d5da23945a074dd5430

SHA256
270b129e68ed6e8a8a42beb869e526de34153178af36d6f007b8d46655b3d6bb

SHA512
a82dc850f260af806715ae9e5782c1331bb679f462e99959656f72f9ee52ec787038a6d02e4b3b7b3d62ce575dee99a7b3318f223f3fb2f668fb783197c57baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
5de7007d07deb54d34366bf80c4665c3

SHA1
c0e52a1e56750cd904417c19e63f788aca4127d4

SHA256
d8e8c057e6a49de25c50ec6a5d22f56022c6da2888a0573a16710d8ff2d6c5da

SHA512
ffc79a9fce01b56f1690e6bdf24130ac150c3f561eb560daf4540e3cf2f58ff598e2dc0f438b442e9037ca2e358033d3092b4c7edd111f9e82e191ccb8b305fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
160B

MD5
d6297924d816cd7f026d7377c3c3440d

SHA1
d36b258299b22afeb2b2420c7d1d2d2b451d3b78

SHA256
2692029e198dce6bc5efa0312bff3098d55660af340dc5b4bebbc7806be8e211

SHA512
148d4422d92739d67cd1adefb328d85f6152927267c5518e0e5e8cfdc94142b19c937f0e7d673ae5acee399bb0060fdf39ad7b40044dcd752758bb5e0cbda3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3076-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-273-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-275-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-280-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-366-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-362-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3076-329-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-328-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-361-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-141-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-365-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-274-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-272-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-37-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download