Malware Analysis Report

2024-07-28 10:40

Sample ID 240614-zdxbnayenk
Target 3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69
SHA256 3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69
Tags
microsoft persistence phishing product:outlook upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69

Threat Level: Known bad

The file 3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69 was found to be: Known bad.

Malicious Activity Summary

microsoft persistence phishing product:outlook upx

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:36

Reported

2024-06-14 20:39

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe
PID 2184 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe
PID 2184 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe

"C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
N/A 192.168.2.14:1034 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
N/A 192.168.2.106:1034 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 172.16.1.108:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.11.13:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 8.8.8.8:53 search.yahoo.com udp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 2.17.107.235:80 r11.o.lencr.org tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 235.107.17.2.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
N/A 192.168.2.15:1034 tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 cs.stanford.edu udp
US 104.17.78.30:25 acm.org tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 75.2.70.75:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 alt3.aspmx.l.google.com udp
SG 74.125.200.27:25 alt3.aspmx.l.google.com tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
FI 142.250.150.26:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 8.8.8.8:53 mail.acm.org udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 smtp.acm.org udp
US 65.254.254.52:25 mx.burtleburtle.net tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.42.7:25 outlook-com.olc.protection.outlook.com tcp
NL 142.251.9.27:25 alt1.aspmx.l.google.com tcp
N/A 172.16.1.4:1034 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
FI 142.250.150.27:25 aspmx3.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mail.burtleburtle.net udp
US 65.254.250.102:25 mail.burtleburtle.net tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 smtp.gzip.org udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
US 8.8.8.8:53 outlook.com udp
GB 142.250.187.196:80 www.google.com tcp
US 52.96.172.98:25 outlook.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
TW 142.250.157.27:25 alt4.aspmx.l.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
N/A 192.168.2.105:1034 tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp

Files

memory/2184-2-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/1444-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2184-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1444-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1444-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1444-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1444-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2184-35-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-36-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 3a26423b4c938e863f6deb60109be3f1
SHA1 60769e264d2d73200bd4e588d518b47a41ea2451
SHA256 259daaf812597c5d0debd3aa204c2f6112c17de4d2789ae1e06c29cf676fc8c1
SHA512 8b227209f100c51ce1750de9bab0dd15e788256b29ffa949959c840d4ea283c7e553652bebf028a1b6c2ab0b09b60c0405b282f5b815a7c153e9b7407881cd51

C:\Users\Admin\AppData\Local\Temp\tmp3F68.tmp

MD5 b4c3367e01207a6d40e969d55d52e910
SHA1 8f7fc2bb0ad88831429e92c64fbc92db6529379f
SHA256 a6c76a77d8f5b78024858a0240af081cdb39fb1ee9a14263c8a18930d2f177b8
SHA512 2b34fc215b5d7ec375c1a676647a84a8e8adec851221dc0599d05ad5aa1d646b7d5e28ded96e186fd30b0ed6c686a06a87379d922f66a287b5a5aec32e70d3e6

memory/2184-105-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-106-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\FDCPBF4V.htm

MD5 14b971add79ef12dbe16fc32df1770c4
SHA1 6aaf0bfc83205c1f7b6536f63cf5f8db81bc994d
SHA256 fba2f020fde28ce68448a4d961eb88426e6445bdc6d9be310ce98c73edb8de1c
SHA512 8a34dded3f0b80be0af17e905735db593fd4f8cce3c305109563cdd6bf1352e2611f63d0cd392acdbf9d0830858946b6b1799000170c07ac6b7f10548c1ea386

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\search[5].htm

MD5 e744cdac3b83b2386aa5a89111f1ea86
SHA1 a817a935801d6efa9f11655c660bf572d052b4db
SHA256 94b06123c9fbe480baf55a3bc1b8a201750362a6323f36fcbb0af813b0205352
SHA512 f044dc73f690f1a04842fb3abbb15cd40b10c44014075d701a9cecc176483d33c9620144168bc42d93d570cdf25e2bd30da2c3baac2c236690eb3e8d9c186659

memory/2184-219-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-220-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2184-224-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-225-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1444-227-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 17539ad0a758d88fdf5b78db150dc52b
SHA1 2cba21d46d57ec05d8c72a55b6beefa0098e062a
SHA256 4d18c14581af9b3b7d72c280dec5eb63e448302a72f309a259d6f943b0ea353b
SHA512 169b89c1b3a33e432e431db02c4dcfadf8bb8136ba36d76bf4724ec7cdd0159cdbafb8a29ab5285ff5e878e88864df69b8d2aff039e192317aa68071f3c8260b

memory/2184-240-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-241-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2184-252-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-253-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2184-254-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-255-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 195b5239d082b93590b9f4c13b419fb7
SHA1 eb61256c0cdf2fb7eeefa5c0aa2f545c8f51cc31
SHA256 024810e18bc56698ed1efceaafa688f4800263ad511b9bcdd0a775366fce4774
SHA512 daf683e56085c50e8213897dc7b9bc04a94de4d481c8f5dbc8ebae24c5f3ab0ab521390beb4284bc741355aa1b0bb15067099d4cf6a189b152a58227de850717

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\results[3].htm

MD5 ee4aed56584bf64c08683064e422b722
SHA1 45e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256 a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512 058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

memory/2184-371-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1444-372-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[4].htm

MD5 2f5258bb2d1cf146f94689e802f4e72c
SHA1 f65c33c866f2468a2fbbbb6a4186e79e1f9db8d8
SHA256 f8c27fc71d42a09e525851c44941ac36c44f5e3dad012d1f0f5785afd69924f4
SHA512 5da436aecd08b6428f2b5294757289edcb65549621176a9359e885d51bd9419568744bf4caf86b19f467b7bec9385dff5e2d63f0fc164a47d26b0a495b7b6e6f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[4].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[6].htm

MD5 b2c5942737c03821ee7fc48b2a2a6003
SHA1 d7d9d6df712f9a00e506df97a1e613981a8a0f28
SHA256 0e6082eb1d69f57d78e143364edf65d90d63fc82794c0c33c08c6732b87891c3
SHA512 992d5b6494ce4c6384b28eb442fac8adefda7862bd7cf16bdd3704ae168513405664244fb32043468680b260767ca9f25b34e28497c60a1cc46309c1eb69ef09

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[9].htm

MD5 1125d7464f3934c3216582a7fc836d56
SHA1 422068828de1e4a4dfb26acd78c8d6515a3b0bad
SHA256 59d6ff95ecda68e0e40c94de8dbeee3a9206bb32f0f41a9c4ff214b0db8e7150
SHA512 7a9820c789db59c2ea3bca093bc12a7e8f0317868a0fdcf9902385be406e95a1bd6ad403088e3327c76047586eacbbd3501e22f6096e2f2b7d8977369f55155c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\searchR5TBGDR0.htm

MD5 5964b26ad6ccd6b15795b40a386eed64
SHA1 85922640c79e1fa53c90c9eace875915e592978f
SHA256 26d961263f77583a6320451e869375c8febff470ded88e7faec231aa49af3ecb
SHA512 0a84bb14113bf5e66dcd50a7ed48aae5fb0816017be32377860348fda6d9ba05a0fe27caca842b7a23bbd6bffe9f6e32791254771726882fddd56e5e5aa15728

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\default[4].htm

MD5 2a8026547dafd0504845f41881ed3ab4
SHA1 bedb776ce5eb9d61e602562a926d0fe182d499db
SHA256 231fe7c979332b82ceccc3b3c0c2446bc2c3cab5c46fb7687c4bb579a8bba7ce
SHA512 1f6fa43fc0cf5cbdb22649a156f36914b2479a93d220bf0e23a32c086da46dd37e8f3a789e7a405abef0782e7b3151087d253c63c6cefcad10fd47c699fbcf97

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:36

Reported

2024-06-14 20:39

Platform

win7-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe
PID 2980 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe
PID 2980 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe
PID 2980 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe C:\Windows\services.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe

"C:\Users\Admin\AppData\Local\Temp\3bb1d01d8427944159d76d41d570e0a03ac939945b207cf23630e642b0b13e69.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.0.2.15:1034 tcp
N/A 192.168.2.14:1034 tcp
N/A 192.168.2.106:1034 tcp
N/A 172.16.1.108:1034 tcp
N/A 192.168.2.15:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.194.12:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.17:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.4:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 192.168.2.105:1034 tcp

Files

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1856-11-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2980-8-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-0-0x0000000000500000-0x0000000000510200-memory.dmp

memory/2980-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1856-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-41-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-48-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-52-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1856-53-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1856-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-54-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 e8e960dc1f7e5272e75bbd55583fbd12
SHA1 4d57e9417e8341e42f00a4d1b6d959bf505911aa
SHA256 d1b5fab4805c88d5a6dcc539202bd62515a7f2247e05bf272beb207bdc6815a2
SHA512 312cbb03aa30a25ea8a83d35029912e6e2036249bea3a2a79652f705ff497f58cf79d22b30ab7043f67efdaface7ee43ea2d6d370d18adfdffb307dd622a35b5

C:\Users\Admin\AppData\Local\Temp\tmpE4C6.tmp

MD5 16d2cd900cae1f8d7a4af6ef0cb94272
SHA1 bc1e2414bf6c5da3976476ad518c59b6ba953904
SHA256 3d366d5eae64ebd39c4bab0c67a5d9057175d0a42dc51aa12df3f55dc302f06a
SHA512 497493642d1893d6cfb75458640f8b004d0834a66976cd41f93010c5d961ec5ceefe8ae05b9cb890fbee2400e65d72f490e234818b45c8c24b77695be59d03b0

memory/2980-75-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1856-76-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-80-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1856-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-82-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1856-83-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-87-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1856-88-0x0000000000400000-0x0000000000408000-memory.dmp