Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 18:37
Behavioral task
behavioral1
Sample
0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe
Resource
win10v2004-20240226-en
General
-
Target
0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe
-
Size
29KB
-
MD5
359e1cce5845e148109b9de5ee42a507
-
SHA1
cb9541de607e7c136cf80be1c4640c8774c90c89
-
SHA256
0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47
-
SHA512
01806a27d1ec34635cfe9e851589c1a3a855b9d9fac3e795504b588f28f08bd82fbbf760e39ad717d6f7a7d40ec98ddad5e91cd0fe565bc12adfeec17c6f55dc
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/o:AEwVs+0jNDY1qi/qg
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 628 services.exe -
Processes:
resource yara_rule behavioral2/memory/1596-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/628-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/628-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/628-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/628-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/628-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-32-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-36-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp75B.tmp upx behavioral2/memory/628-119-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-117-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/1596-272-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-273-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-274-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-278-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/628-280-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-301-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-302-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/628-306-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-307-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-322-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1596-443-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/628-498-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
services.exe0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe -
Drops file in Windows directory 3 IoCs
Processes:
0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exedescription ioc process File created C:\Windows\services.exe 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe File opened for modification C:\Windows\java.exe 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe File created C:\Windows\java.exe 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exedescription pid process target process PID 1596 wrote to memory of 628 1596 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe services.exe PID 1596 wrote to memory of 628 1596 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe services.exe PID 1596 wrote to memory of 628 1596 0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe"C:\Users\Admin\AppData\Local\Temp\0f8db12ba51e84834cd5a147e8e8b2fb06bc79f9a8a696ad85c85941e2adef47.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\results[2].htmFilesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[3].htmFilesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[6].htmFilesize
153KB
MD589fa323cd6722138b2da0350b917fdc1
SHA101a316d326fd482e5d45c249773ff1352d869345
SHA2566ebec2c245ee7272781453443f36de567ac60fb769ad4f758b31cdd432ca18ca
SHA512aaedb853fd2c5014a959fa902595c555e43657283351104305cdf4fab39d0240a9f27c869415d585c2a90df995bf1588452d2a63449d855d843c4e4e344c3091
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\RJH6BHDA.htmFilesize
175KB
MD5d41622fd7447bf76abaa9c5fb8c7640f
SHA1eaf65827b34a746f19bc4d8c4e83c6c2d3acb41f
SHA256d581e64de47c5ca982d8f9e183a394d04d1527d5f3c7b33b35c60db53c4546da
SHA512316abd821ca5563b3936d83a91ff09fa85b63fdddb7053704b85fc557b2b4071395394b4d6d28ddf4699562ee873b3e2af5da5915a428446a6099a06a2f580ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\results[4].htmFilesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search2ZBKTLOX.htmFilesize
112KB
MD5a3a64bc15fa8f98838908d947345203e
SHA1593fc3237ba163ef4fadd96479fa904bf613182c
SHA25678de3040d52674a7a6aac1cd5bb92a0763b42fffa0a67cd97beaa7f3f2971296
SHA512e5cd92313e88699730af08b2392f90bc097e1201180b6ed6bffad24882e3311f38c35e8a1ec1ee5690a85edd2b125a0bc78f46e6b7e010b297040099542d46e1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search40X798RC.htmFilesize
133KB
MD52b980aa1b4b7f92bc9b781cd00729ef1
SHA19dd16fe8693c81b32472dd1ba554a60e6e089c41
SHA25648abe4b4387cce28c13be17ed1b68d2dc6582f832628328477e2cdd323de495b
SHA512f6f8c7a4380fb99527ff9e707f0206d83ea58c384d9b4dc48a0064f6da9575ad6de0f1bb7bf19944590c852dddcf9e409e3e507b57424246ec667b10c0bd41bf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchH5MXV83F.htmFilesize
141KB
MD51e3d3a8b9e55d495d3cac0debc1068c4
SHA104bcd7e27d55394239a8751578fcfc35263b08dd
SHA2564d2a71456f24187fc150fcb7dc9c5a4a29a9988ec732383710d68a6d1d80f241
SHA512d3438d6a5b218d8d5b28530cd1e0ebea895d55083901fa9d13ae087b55839ba8a84d795aa30c85fdf2315d0dabc2331b6e2a365184f8acb36b8ec931bf2b47aa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchJGJLUELI.htmFilesize
137KB
MD5c03fba798ba11143f91f41fca97c55b8
SHA1cd1554adc44b8d917bb3dcf102650bbb87a0ec37
SHA256c47614f0127e3ff3bed382aaaafdd1f1da71143abd13c037cca10a5608997cbe
SHA512fcf32bf821cf60fce41f875c38b4861964be33afcb82a168621686d66517141c937133cd9c44cd5263b595ffdb54874a6388c1e2b7c4e373c052aa7f129dfb20
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[10].htmFilesize
133KB
MD5159ebc9c77a06e55128077bb7cab74ec
SHA132b437e4991591db7595d5c0f1722e2621b863c2
SHA256616464330f3156246286ef84abc4280e77c2f1cd9b79e5f307aaf9a75415b2de
SHA512dd18fef18381e2356cc5ce7e58dbce5ea5ecc0375a58b74d1dcde6387587a5cf188211e76cf4ffea45dbed3df79497976a7531e7d5bec085bb618cd8d98a9206
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\default[2].htmFilesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\searchC1ODVD3W.htmFilesize
158KB
MD50c2aa3e90cb8f3b3e1faa96bae8fbfb1
SHA1c53ab627e1657a01f56ddd3ba36523d5ee5e03e2
SHA2568c5086b040d99904a7c40114a561579ecf93456d6506f7a0ee7e3eb311f403ce
SHA512c8387e58997052cbdc5505b6fd1733258f48c85fd0109934e33f8bd28e3dcddac2831d0c31a2026769f69cf11f2bc4c07e3d2d97efd9a52973fa5b7735c7597f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[2].htmFilesize
138KB
MD5765981b86c85e8ec91a036ef66466dd1
SHA167294d45b1fc990782cb8220f383cfca6394b46e
SHA256ea70b51834118901c426b4774b56c4549bdb1470f0f9556118f261c048f8d91b
SHA5127fc44f45a37e1aa15cdbc9c3a365cf1d0d024f8822ba843552e842957e0e311a5fabaa98054fb616881fabbd681d937f8354c1803e681cff2d08d447336b5563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[3].htmFilesize
141KB
MD5a48b37f4d22d9d59fdb8a6a615ac755e
SHA1e3611797391fabd5cb08154cdb94d6836e99c931
SHA256c2902c4cc33cf15eef97d7394db0535cfd04e339dc758439a78c62290a6568e7
SHA5121c4d10aaa670d55ddddc7e15ba4f48f4cd82f30dbf778f1d0295c9ccab792c41c22c658d357c1fba03b1b9b6a2fa69e99a1147bcb52e62b3b4f56bdc06da37d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[6].htmFilesize
130KB
MD5314dd947f9cca72e4f6748646b70be05
SHA18ab9a610fa15af93e046ba432e39010ea9cd69ab
SHA2565aa4047e554a14d159d8c74f2a4eb663e474e5465e94440e500529ecbc42a4a3
SHA51258b813c53edc152b5dcee841be13fdff6391087831d193928b15b6f1bc3f9f894581b07b8caf36c273d0fad54504448d08d180efa3206a52ab750a4957ca2f42
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[9].htmFilesize
148KB
MD5006a76bd7c0eaf4694a4baed013428d2
SHA1b3d3022a11e94547d9a62e2628454bbdae036ded
SHA256961b275a429a25ef19a9525f62afa13c66c4d9ce69cda4c8d91657c99de4b402
SHA512858ea95794d13939e861d87081d77e973e0a27c2efc7f8215028efc1fef702294bad824657d9631163657678c774c6e7326c98df32b1fa0519dc6c81c168e1d8
-
C:\Users\Admin\AppData\Local\Temp\tmp75B.tmpFilesize
29KB
MD5675aa0fdb816627c5b7c9ef5c0c3970b
SHA12f4bc87088ff8e04c5e8f729b24a8b00851408fc
SHA256183a245b492df38733303d1b98bc32e62769b8c350d444038052ee0806e8d752
SHA512c9aeadcecf5084bb9d58efde4a0ca908de2c294925ff337668729d9576dcbeba682db4ac80e230f6b5471308ded66b195307331ae7f80ecb0557118c0a1fe2af
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD529855bbac4cb3a24a1abb19d872de502
SHA1fc7873c24657fb03fe7b8c9f90680efad4e39410
SHA256fb2f0fca892215dccd00f307e5c42bdeab9f77ed477e871d020ca6bd6467dc1a
SHA5120d1993511c048ddf51cdf11fa83f72428af44835628fd85bec04615a6d4bad3c04e81943275fbf12f041dc75b706203225d0784f44a969bbead18600c79f418b
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD5952d8d57a49a13a22a68a9b0170a843d
SHA1769333c408948b2769161d06e9d60a7e72d65e7b
SHA25668b6f0ea07a4a7b92109471a8937946de103a8eb67e1118aa99b0a4cd86bf68e
SHA51252d2db632fdbde0be0b78eb0012ae7b5a48e6665d680d717d57871392568d41775e600e1d08cefee3e0f6e1a207a5768f74580145f3cb028c4533cd67d264019
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD58e0019bd34843505ea12d41a6dac38a9
SHA109dca7234ce2c678581682ebea9c7366ee53a619
SHA256ebec1e7ffa9a9622f637be53cef9895a0eadb53f2cdb926b562d509139572f0e
SHA51289d593745beac71fd6aa63da0ee58ef37b61a0162c4e43d5e36f88ff25c910f2853de052714333f693626dbfaceb1b32cd7ae75f008425e8190032b00b6e2197
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD5981444983238f269bafd94f995b9fd0a
SHA124126af02a1b4a8eff6626aa6c07208492db63f6
SHA2560471f66f858ce47dd8760e4125bb3579989bcc812c0ed67e78fdabcc26215785
SHA51285d0f50f084403b63b64e877a436629dcf1b09691d02691347b2f13ba2e540581532b4b9e7dbc0211d1b51d5d9b3359b8f53ee0d0560cc4d6a0d63832750b85c
-
C:\Windows\services.exeFilesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/628-280-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-14-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-273-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-5-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-278-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-24-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-119-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-36-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-302-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-306-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-19-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-498-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-322-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-31-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/628-26-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1596-274-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-443-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-0-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-307-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-301-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-13-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-32-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-117-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1596-272-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB