39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe
Size

29KB
MD5

2e44355a41c2cf29f749f39907916170
SHA1

2f77500d21ca488077ee29d55f2b0e3a454ecdc1
SHA256

39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9
SHA512

7432c98e0aed021ec47645df1e1da4c1b1ada7a99c7e291d97efe506c135e8c71c95062113b5e0928fc36e8ef9a29da0500ea0881783119a3b6ed51983f1828d
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/+:AEwVs+0jNDY1qi/qG

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
2760	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2996-1-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00080000000235ea-4.dat	upx
behavioral2/memory/2760-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2760-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2760-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2760-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-35-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00090000000235f6-46.dat	upx
behavioral2/memory/2996-174-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-175-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-228-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-229-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2760-234-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-235-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-236-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-257-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-258-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-261-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-262-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2996-334-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2760-335-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2760-343-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe
File opened for modification	C:\Windows\java.exe	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe
File created	C:\Windows\java.exe	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2760	2996	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe	89
PID 2996 wrote to memory of 2760	2996	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe	89
PID 2996 wrote to memory of 2760	2996	39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe	89

C:\Users\Admin\AppData\Local\Temp\39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe
"C:\Users\Admin\AppData\Local\Temp\39e7d258a6f1dc38e7a3715788be486cb78c774a3db59c41e3e7a1d2048c8db9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FUP7PRY6\5X3A7WGE.htm

Filesize
185KB

MD5
dda06cf943467c5744768fd49b1d8bfc

SHA1
f3ffd209f3e4b49ea427ca9313e2f57999fe2e8a

SHA256
087bb8e93a82fc19714024d21f08ee617bb9c844e562cde9ebb170b67fcb02bc

SHA512
895427f7c16219158eb4d33f3d500a00b496aeb44ce5dca87ddf2e764be768c485c2f715c6bedfc3a1d5525be94445b9046a0165b2459511a8dec0c57c71738c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FUP7PRY6\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\search[3].htm

Filesize
141KB

MD5
bdc6069367425293b1fa886b168dd2f0

SHA1
d07ba973884746f1296e633148745a8c4149050e

SHA256
b3d64a801df766dc9eef0ddaa66c5a8d8f15d86b476810bcfdadc8ab953e2d36

SHA512
f89c6b5b1721c3c3a3d885c11a3f379e8d966af25a67a0442510455c9e63028301278479a6adff32a2bdb4a741c7ce7a540449e2c85c42b970934b55cd8332e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\search[6].htm

Filesize
142KB

MD5
4846f1018a21759f7ee7ec5c06ca4381

SHA1
b41bf45930530ca0be87fa0f25312296bea9ae4a

SHA256
7878b74d8fcbca0e5cf6a3bf61f7681115b28fd46a2473704c1b0e92088a3818

SHA512
01cc87378718589d387b700ac0d93c1291aef50a3e6222c5819010107a3285c9dd47928a2c6e7b7c0d2e7389dec0c52647587f84c92c31eaece6ac802a967e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF4F.tmp

Filesize
29KB

MD5
c9ccdd2ed9dcbfeca3273f8d934de6ef

SHA1
c01b06fa85b3ee02c38fa9961f34dcd20cc33f71

SHA256
599d613221fce5d031e586409cf07cf268ad355a980398086fa18d66f578b4cd

SHA512
ebe2ef2a907f7ee07155929b2303a9ad4b797e45d9de9f141cf8df4a996f694360d40d29d571d753794d1b04ae24230c6f03285f17d9a9c3ac27cbe6dd46d637

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
ae03de657136a1b6d6102be63174ab5c

SHA1
b0c4c2c0586ef2c780c5733ecb5a9ca6217ebea6

SHA256
808ac484b9c242095bd34439e645ef8a0d3de20622cebcb88b4990560fc4872b

SHA512
9d1bafc02e3c47fbddc616950350e0e0f09d2390dee865edf6ca4ee1005521e79b7d01b2f4b2a5546c8a8f860d7f7d508c36118e0e511541c3c3c4f4dbe2960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
45f1ac78f534491ee386aadaa8993f51

SHA1
1d0d13c461c455ab316c10e2a9870b80469b58eb

SHA256
070e2df38749bd3401faaaa692fc62a463bf09703e3f858c971000423f37565d

SHA512
7184a8e5e6a6f06deec992aae11ea0d53644bada851ae5bfb6d5a65645dce216e56e2409e9c9bc070abcf33211615ff3fb180f72817ac7dcb2a8b1f4375353c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
e67779302db8ac31346fe7a58f0e61f3

SHA1
41cdc2f698137fd077826c0262f6d2a0d6508ca4

SHA256
ab81a34233a4cf8618b890e8c336760f176d8c824b7c87e5d061d8a4f469395f

SHA512
92f0ba880b20f492c4ca9dec5e99bff03a3e563818532fbaf440dad017fef6c234328a3dc2a46766b64905d2d0f0d0460ed5ac1a4d22f0549d7f1f902b116670

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
7dc6c8af045540dbc67ce6c1ea6889a0

SHA1
3a082883b3a884279d105f8af54c12f17eb5a5bb

SHA256
a1953b9ff63c6ab6f75b52b93b204cd5324f3b5acc3313442158d81c17614a93

SHA512
fd5574d79ab1ad8476f81114918700b81a21303b8fb4e9200121a51815c5dc46b30870d03aa2db94a5b966b2a88b517257ba12250bf54dd222791e57a3c2531a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2760-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-258-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-335-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-343-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-175-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-229-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-234-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-262-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-236-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2760-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2996-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-257-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-261-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-235-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-228-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-174-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-334-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-35-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-1-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2996-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads