Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 20:48

General

  • Target

    418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe

  • Size

    29KB

  • MD5

    4d9f4342989827321199b81d8c3a18b5

  • SHA1

    057deee8b99e7c2b0d61f1706bed44fc93c4d9c4

  • SHA256

    418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8

  • SHA512

    2161d894bef9991a8840e9659f3196503299effdb450e97b8e3801eb5336030adbbe8b3a8f8205d4a9eb54f3ec793f99d79dcba14f85b684181014c14cb5d117

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Y:AEwVs+0jNDY1qi/qA

Malware Config

Signatures

  • Detected microsoft outlook phishing page
  • Executes dropped EXE 1 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe
    "C:\Users\Admin\AppData\Local\Temp\418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4296

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\default[1].htm
    Filesize

    312B

    MD5

    c15952329e9cd008b41f979b6c76b9a2

    SHA1

    53c58cc742b5a0273df8d01ba2779a979c1ff967

    SHA256

    5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

    SHA512

    6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\search1NT8MKQJ.htm
    Filesize

    118KB

    MD5

    f719bfc8cd7a2eb6dd559ce7a6c49559

    SHA1

    347b47c245453a347b8ef6017d16568d329597e1

    SHA256

    9b6171fe5c6070bf608fcaeb49b083cc7c26770dad8fd97fc581e20737a0dc23

    SHA512

    66fbc66478fdf1e442baeb59eddfe329bf9d6bd422ad64a1351fee820f34fa1f1dce06fefee91b04006091c783dc0c89bc5e131711902c7ec0b122078bec67cd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\search[1].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\search[3].htm
    Filesize

    151KB

    MD5

    cef10701235a99a1a092167b823808b4

    SHA1

    40b386828267f14518ddf5e046d621450ba7ae0c

    SHA256

    fa8648b3161a03422848d74d1f765003a009d9f3a0b05505b4c196ac3ffaa5a5

    SHA512

    e4cc5bab07b6a992e296f4bf5c71daef029f721a1274fac6d8343fd151fd33db65ffb6a6aafd0791f37c64127dbda3da6e93e83f1f6d8af95bfa045792b1d618

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[5].htm
    Filesize

    126KB

    MD5

    83fb19b35b6038f3ab9a6a189d001120

    SHA1

    e4e236587803deb99520a1d19fea7ab01c46ce9e

    SHA256

    ef33e77a6b947a41b5c9a062e826324a95b0cf7d90ace1b8bf231b4ea6fd8212

    SHA512

    5c9c2bb8b8e524b6abb5ca39bdc211c0d699ac9b5225984d8803c7e31e1aa5792d92a2818c4c527fa51c1039213c1ace2de5a1c2573fd99c5c78529d27c4b3d7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[7].htm
    Filesize

    151KB

    MD5

    6fb22da1c127c7bee1fdfa34446b15a9

    SHA1

    002fb8b920a4c8e769e4f3562cc4c59b797375d2

    SHA256

    e65db7c0ee0db8d629e257cc3505d786ac27b3eb529f7a0749b5f52958e65ed7

    SHA512

    cfe33d6029691a62312a634dd37e9d579e71b3593a7937463e4c56e49d52d4bc8e2401d960a88f61d2bb1598106ef1b9d8ca11dcc399dcf0a57d0585e5e2910b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[8].htm
    Filesize

    169KB

    MD5

    de9d570d078e58bc48e10c7f37343a0c

    SHA1

    cac4363dc357298eae0047ebd3eb110b72ffa833

    SHA256

    a8646dcd562b9fc6d68ed5b9efe59642380d2dc78bc7fe4be282be3c2ce582bf

    SHA512

    e69c7af6fe9e83b979fe0ad8a342b0876a117d8de9a9aa20edf9326a6707fcfc5f6aa71639f6b22d19d0fc3935dd70a8e04144c71829362b55a6832894acdd42

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\M47TPIL0.htm
    Filesize

    175KB

    MD5

    e430bdc58c7129cc8848c46cca8f23ec

    SHA1

    dec848893ed6657ff5d46914893e89c7a2a96303

    SHA256

    ecf1f6e042b2781f9c85e8c5a24b97d8e45657e47b1229f04f7fc805de306ae1

    SHA512

    86047313d1d79c2d74aca31f823b90cc7ec5988dd229cd058529edffda470ce0dbc6af1d53819984cacc8fa7bcd72b0bc0d3318ddeabeac562b0414d5d1f538e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\searchGOPPSW05.htm
    Filesize

    145KB

    MD5

    efea955597c244b1358f44d423f3cf1a

    SHA1

    234895541a5f325d344bf5f826634eacab286608

    SHA256

    0a695473a25966c404cd7d1891393e3dfeb5e1709bdcd8e7eac1154e6a5446f9

    SHA512

    c4bbc7d5ba028d08b941e6245a5b90a91dcadd686e61cc84cdef32bd41b9fe524d5dd276ae35f9f768266fcc67318aa819c832246c6cfbe0ac4e25f4b0cd7046

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search[4].htm
    Filesize

    115KB

    MD5

    70ec2e42afae8ce05e885112b4aeb5cb

    SHA1

    8d60782847e9510745d52210bde787378365b387

    SHA256

    459eec9f493dc38f42ac5509353d2b870e54089cdbeb24a1f1d3e23decf97653

    SHA512

    dbf807b1a6750854f286f63fececfa870fab5f520a183a1d0c63d2bba4aedd2a962b39f8564374a5a185aee525ffe3dabd1b18e9aa10c1ad700ae8acaa0ec3c9

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\results[3].htm
    Filesize

    1KB

    MD5

    211da0345fa466aa8dbde830c83c19f8

    SHA1

    779ece4d54a099274b2814a9780000ba49af1b81

    SHA256

    aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

    SHA512

    37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[10].htm
    Filesize

    166KB

    MD5

    8284ebf0c66987715e57aee41f752312

    SHA1

    3f4bf7b673312743258afbc2e05e807b361fe893

    SHA256

    6bc7fef6147fe53e8cb2079992cf128ad64a0a2c08ea22d89127b0681c31e84d

    SHA512

    8833a3b169c4f18c5fa8436fb2d0072b7c5c545cf5483767fe30de6f95f488e2c7dd88de472b1f67c6cf49fda5dee5f5b6cb71084924e50e3b3e0d881238e286

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[3].htm
    Filesize

    136KB

    MD5

    46aa8c6512795cc054966c7953d9bc6c

    SHA1

    76e99fde9f8afea5ec342caebafb092f95c009ed

    SHA256

    b7797086425fce2422603d24b0dfb784084b848b74ea001042f32ffff60e3bae

    SHA512

    13ba5199053543a82e283644a765b95c6c5d64120ff3a4aa39617c35e86098cdeac42129b18b726d096a5aa0de4af9cc9d055b9662e9ec87d3515d8f0e86ad2e

  • C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmp
    Filesize

    29KB

    MD5

    30bbd78af2de565ee21ec6f1d73dd051

    SHA1

    4530dcf565831b75cc3b5b85c7a86e944a5b3069

    SHA256

    c86d285f16aa06e7b862f58c8ca7fcb730dbc81717bc316679b1074ee712602c

    SHA512

    2eb76811f68b4e2a90b5ebdc7ce73c323c547601ddcc63764a8517a0f4c6b02bcbada47d2afe43c5f93abd13660337d61b7cf2e4e24fde21473435f01b9b15ee

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    5ef3439fc5c48b8e586e1f0a34dbb793

    SHA1

    9be73f9418d68b943c692b6a97e12df141f1f761

    SHA256

    f2d45a4de31357b4406cd5d5436cd17748616edde77cc9beb925c791f3253496

    SHA512

    8d4fdddc9b080222f81bc309bfbc9e7137888452b1779dd229ff09dd8681d7ea62461eb174f1bdd6fa35124957ebaa51be848cd600b8012e5b645ada94e12cd4

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    6a52bfb13a66f1f15ada54e74f5b432f

    SHA1

    8f37c12ab214a5ad652f4825a05c246b9617d710

    SHA256

    e5bbad6cc85d448cea137e9fb9daa20b4ac233fba95f5466cb933d59fcde0f2b

    SHA512

    99107c0809b7edd1eb3a2be6b4f64df404587fd08eae34b5e0b4184c0fcd623efdb747cd56e4b0dbb520d55bd3eaad719d64f5f3f99bae57a81fe058ac939244

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    5722888e8b58cd4eef8a7e352ddc0b39

    SHA1

    863c1b63d70927f4110cb8498ae0a90fea830593

    SHA256

    7245a5ae8436e3bfc12e086ea0df2d48e446b7488e4724df56498b20f6be09a7

    SHA512

    c64b4df3daa3da92e250085e26ff008d30035d0656f6fed258d2cc5bb9e1cf1dfc1efae4db808c8f71a6f8dc54d8948395e425e9a5fdf0e5552c010a98f0ce6b

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/1184-329-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-0-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-147-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-13-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-37-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-283-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-370-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-331-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/1184-290-0x0000000000500000-0x0000000000510200-memory.dmp
    Filesize

    64KB

  • memory/4296-284-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-26-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-291-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-330-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-286-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-332-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-31-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-36-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-148-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-372-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-24-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-19-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-14-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-38-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/4296-6-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB