a92bb07a32545883dc65d5a6fdf46994bc15698ddea040d4a387944eaa036bcd

General

Target

ab9692d33f8a02495519df18c3a3a7de.exe
Size

40KB
MD5

ab9692d33f8a02495519df18c3a3a7de
SHA1

6418217c9fda319926f12a4774b481438977b8cd
SHA256

a92bb07a32545883dc65d5a6fdf46994bc15698ddea040d4a387944eaa036bcd
SHA512

674824b909632383574972c6ec71b95f92b67e174a2ece1adb1ee26975e7cd98c8ff1b19e7b74e60cbbeb5a6b27ce7e41466fa15e0a80424c7ad57fbfaf23a54
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH/2J:aqk/Zdic/qjh8w19JDH/2J

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3468 services.exe

pid	process
3468	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/3468-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-237-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-261-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-264-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exeab9692d33f8a02495519df18c3a3a7de.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	ab9692d33f8a02495519df18c3a3a7de.exe

Drops file in Windows directory 3 IoCs

Processes:

ab9692d33f8a02495519df18c3a3a7de.exe

description	ioc	process
File created	C:\Windows\services.exe	ab9692d33f8a02495519df18c3a3a7de.exe
File opened for modification	C:\Windows\java.exe	ab9692d33f8a02495519df18c3a3a7de.exe
File created	C:\Windows\java.exe	ab9692d33f8a02495519df18c3a3a7de.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ab9692d33f8a02495519df18c3a3a7de.exe

description	pid	process	target process
PID 4668 wrote to memory of 3468	4668	ab9692d33f8a02495519df18c3a3a7de.exe	services.exe
PID 4668 wrote to memory of 3468	4668	ab9692d33f8a02495519df18c3a3a7de.exe	services.exe
PID 4668 wrote to memory of 3468	4668	ab9692d33f8a02495519df18c3a3a7de.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\ab9692d33f8a02495519df18c3a3a7de.exe
"C:\Users\Admin\AppData\Local\Temp\ab9692d33f8a02495519df18c3a3a7de.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4140,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:4200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FUP7PRY6\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\PQSWXK4R.htm
Filesize
185KB

MD5
3c6f9a0773f808af479ca351bf0358cc

SHA1
b791a07d8814c158b9cba0c0b9cdcac89eb9626b

SHA256
00497bc1ba6c4b49768409290974815eb295813233af2261e3d5da30977148e5

SHA512
0f3da9ae8e0413afd6c722da03b3b68ea1a6f8ab1746b8d82d52ce52e086556dd339e32c6a5d7dde0543f92da36dff79c119e10ec6cdd031d659d44b02f1e186

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp78D2.tmp
Filesize
40KB

MD5
04a4899b5e7e10028ba6e38af34596e8

SHA1
6b2f4838c0919199b8a49bb4e80f9b80ce3ccd0e

SHA256
e6c07ff920690c17fc1addc10fd2aaa11aeadf42b052444d4feb31738140b0ad

SHA512
1d4f926518b3a7e763fd9d35f545eb9e308c22a04d67a10ce8bea0c95e3e54835aad0016e2373bf24f24b96bbd6bb14223c81d2f2906d3203a3ffc12ef9d8b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
50b22e06b8740ef1cbaaf0700e2da47c

SHA1
deec87c751dcb2cc029df040b7003af8d9a994d4

SHA256
1fb8cd47999c85460c53e5b3c2ba9e453d404d5e25fda124699709d493f79c18

SHA512
c5ce0736dee3755971a8a46f2705615bf2a6ebe70433595abe2e8da5eff22b2a7de990dbb8b63f691e95171dd467c5f3bb941625d14dd462fa74695bded0c6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
bc9035853fd05cb73ae1a48ad118e9e5

SHA1
ab1c2bc5f9a51df66b78c3ee4cebfe7db26a293f

SHA256
f08666268b0cb08a911cb6bdff710d67430ef394ecd23a04d05a14955e5e6746

SHA512
f615bf862e4f92fdb8226ad1ce0a0c41fa86d6c7d2876f4636d1a286bd379c2d6e3497a7b093edbe50ac8d466b1404dbba4c0a3c72a8ad030455339a95e2d4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3468-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-264-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-261-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4668-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads