f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe
Size

29KB
MD5

e3e368cc18b137994b353d98f084d306
SHA1

b3dbd2c82ec5ff3d2666809c0a71c181302aa78e
SHA256

f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f
SHA512

7f2004bf10c5c3d033ea2e640b72103d177c171f1cef04beae4a77c611e43417cb2f20d30c5f97758c512ce111c0d7b61d647e7e48a95dd06c23e6be264dc845
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/II:AEwVs+0jNDY1qi/qv

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3676 services.exe

pid	process
3676	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1760-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/3676-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1760-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3676-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1760-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3676-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp8625.tmp	upx
behavioral2/memory/3676-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1760-163-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1760-261-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3676-262-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3676-266-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1760-270-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3676-271-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1760-328-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3676-329-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1760-478-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3676-479-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe

description	ioc	process
File created	C:\Windows\services.exe	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe
File opened for modification	C:\Windows\java.exe	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe
File created	C:\Windows\java.exe	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe

description	pid	process	target process
PID 1760 wrote to memory of 3676	1760	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe	services.exe
PID 1760 wrote to memory of 3676	1760	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe	services.exe
PID 1760 wrote to memory of 3676	1760	f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe
"C:\Users\Admin\AppData\Local\Temp\f80ba72a33fe8ffe1a2e06f6f94ca37c1a264451af416e43b2420d2ddfbbdd5f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\searchKDK9NICT.htm
Filesize
178KB

MD5
5a10eef3289bbb902e41c167478d6e03

SHA1
182bf866619e72d5a78aa5a095abfd8759460d32

SHA256
1bc392aca61d5fb879aac6170c1ea3434e377e10463a2cffb7cbccbd7be56492

SHA512
0c2a8a58650f28c1dcbfa864e0e6e23c73c200ae7e635199144404d01d53245616d59984b1f433f82d3a08b1a4f13e647082a046cf2831cef506b4175743f4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\results[4].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\searchGPJWDTGY.htm
Filesize
150KB

MD5
96787f253825efff1c695fe43cecb805

SHA1
bdd9e204012822a2106ad32b2065c5b34ab98916

SHA256
f85791805b27704325e883edd6de5d4bbb7d4212ff1d404c8e47bf5a9179ce54

SHA512
97768b2b7e31e38c6bcdd1fc20ec31a62134cc2fb9bc2d53ceac885046cf68be8b4846ef6ebd01d3b3ea1f82bedad56f1e36eb7c32d855e74707d54c16d1509b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[1].htm
Filesize
136KB

MD5
4be50e49ae91a4622e0c1ea57f13d42e

SHA1
982f8c7f074435d34015782b64f8e578734965cb

SHA256
6e614d7c391f82cce582642d9e166fd61742409039388061d6475f26447a3eed

SHA512
2c07aced2e092cbbffcf206aee82bc3f6938de4de2d96eb6ef5c62610b2fa19d0075616b18608abbd2c96a66fbb769349984068430fb194acb0dc8d7dfe1f7f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\searchVMJAZ8NQ.htm
Filesize
157KB

MD5
29ac5e06819a0d77960c82b3ed6c05b5

SHA1
538971a961e7e0ded8b702498a44b51b680be524

SHA256
111843216d3a5bf5d7d72b1e94a6fd9fdace48a3eaa4825f2c7750debeea909e

SHA512
d878404e29896a47216291c3aec959eeed79190b80172a4f365d44e916193a7afe884eca9bf15f52be8d81bdaf422277ce307a6975e0afb531b5d4b0b9618733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\2AO2CGUD.htm
Filesize
185KB

MD5
fb0923715292b47a8e405993c129c627

SHA1
6a4a82032ab5d3e6015a6b24ef08094cd53eb19b

SHA256
d39d0e4dc8ede54b9bd0c73f2253f52fd5f3fec68525737b981af50ad3276d52

SHA512
ea7e5e5b35d46daafdc124331255920536f3e206b80c29a24758b7d836063d25dd0d97745524df57647f8b85d92cc34d3e2155d59a5b4f5038f2d6fb54a80250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[2].htm
Filesize
142KB

MD5
75f74bd3370e067adcbe880748730019

SHA1
50740826b65e4e93816e89138b5129ae83577db6

SHA256
9a00fd304b6f6de56a644daff264cd0f7a73a910a261e16f122e0326b5a331d2

SHA512
c20c5983afe80f8c92b6a5a5d6135d89b74a8cf226c7b5764d4a872dd4e85cecbcc4a74ea23c164dd8f49358da7cd048a546a945f9cdc61ae58eaee9b9095a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[6].htm
Filesize
130KB

MD5
ae6fed4feb817fe68e795c93e6495312

SHA1
336fd156401a3dbfcd0857ec7374d6b21b5e198a

SHA256
045fe9792caa2fc232e7808a595d00222d2b0ceb89d9f8a2b8321b0fead2ed69

SHA512
985a9138407605ee5edecce327659c785357902df38d174d0f06ad2756118fb1944bce88f82b14343c6988d348521c18bddee3c9aa405e6e4da160e1ae60cfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8625.tmp
Filesize
29KB

MD5
cbd34fce9f820da7a04ba7ee7d63194a

SHA1
d49a8fac0ff1f99b5c33907467c9d059a02291ef

SHA256
b5aedaad142c72c9a883cbc14f5356aaace479c66180c984413adf8882606c4d

SHA512
ae7728f6b3629f101e24258e107afa30a698b366ea2cbffaa29db58da38a5dc94d71c33c99d8fb301744322cbf8c3eca0e68ebe9334eaad6642bc666d024e983

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
a07fe74fa17879784dad41df7614452a

SHA1
82c2bced1b1a76e072c0a9110c54707f1d167bfb

SHA256
a13f64c8495a05106f1616899d8f64fb77f64d3be263eca821f07c7fe551e891

SHA512
5263cd36b728dd4be2a8662ac6cd1d89979264112a63475460902da7e4fb78ff0ddb16d0e34ff69dc0826e80de861f4c850a85565de6498582ff6c37703da68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
66c3dc2d6a6c6b872e5ecddc201e66e7

SHA1
caf445300d9d26b885e850a24484f8b03895fede

SHA256
4af0671189068bea250d1efc11b8dda456acef71cf6621c9cdbb8e7c3c2caeb0

SHA512
c4e3e9f807f7a5485317f6219e3f8b8c791d020851319c506e8115cc26d5799d8ddd72348d1f81cb059184f8de826aae1058fe9fbb23bbbfccd609c796b2bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
352B

MD5
8619a7cfa78ca7cfd524309f2bc1f2ca

SHA1
b47a1cca3ebbcc5e63aee87d66559bef59efb1a5

SHA256
d35f50ed55d74574c95c83bb3632a47ac282cc0ea318a5365b16fd41370a96dd

SHA512
ecb43047c3b4fe98c39989decbedd2825bb00a1abfe0f5f2a5e5badec9ea8338e72caef065b807d6f5be7795f5e8fb1feb179a97aa237d7b2d4618d695b2fb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1760-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-261-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-478-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-270-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-163-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1760-328-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3676-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-262-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-266-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-271-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-329-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3676-479-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download