Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 20:48
Behavioral task
behavioral1
Sample
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe
Resource
win10v2004-20240508-en
General
-
Target
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe
-
Size
29KB
-
MD5
4d9f4342989827321199b81d8c3a18b5
-
SHA1
057deee8b99e7c2b0d61f1706bed44fc93c4d9c4
-
SHA256
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8
-
SHA512
2161d894bef9991a8840e9659f3196503299effdb450e97b8e3801eb5336030adbbe8b3a8f8205d4a9eb54f3ec793f99d79dcba14f85b684181014c14cb5d117
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Y:AEwVs+0jNDY1qi/qA
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4296 services.exe -
Processes:
resource yara_rule behavioral2/memory/1184-0-0x0000000000500000-0x0000000000510200-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/4296-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4296-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4296-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4296-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4296-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4296-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-37-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-38-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmp upx behavioral2/memory/1184-147-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-148-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-283-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-284-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4296-286-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-290-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-291-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-329-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-330-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-331-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-332-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1184-370-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4296-372-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exedescription ioc process File created C:\Windows\services.exe 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe File opened for modification C:\Windows\java.exe 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe File created C:\Windows\java.exe 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exedescription pid process target process PID 1184 wrote to memory of 4296 1184 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe services.exe PID 1184 wrote to memory of 4296 1184 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe services.exe PID 1184 wrote to memory of 4296 1184 418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe"C:\Users\Admin\AppData\Local\Temp\418b0d26edc8dc681843cee0b68d52a4239837f96b546acc55ae9944e18db8f8.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\default[1].htmFilesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\search1NT8MKQJ.htmFilesize
118KB
MD5f719bfc8cd7a2eb6dd559ce7a6c49559
SHA1347b47c245453a347b8ef6017d16568d329597e1
SHA2569b6171fe5c6070bf608fcaeb49b083cc7c26770dad8fd97fc581e20737a0dc23
SHA51266fbc66478fdf1e442baeb59eddfe329bf9d6bd422ad64a1351fee820f34fa1f1dce06fefee91b04006091c783dc0c89bc5e131711902c7ec0b122078bec67cd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\search[1].htmFilesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\search[3].htmFilesize
151KB
MD5cef10701235a99a1a092167b823808b4
SHA140b386828267f14518ddf5e046d621450ba7ae0c
SHA256fa8648b3161a03422848d74d1f765003a009d9f3a0b05505b4c196ac3ffaa5a5
SHA512e4cc5bab07b6a992e296f4bf5c71daef029f721a1274fac6d8343fd151fd33db65ffb6a6aafd0791f37c64127dbda3da6e93e83f1f6d8af95bfa045792b1d618
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[5].htmFilesize
126KB
MD583fb19b35b6038f3ab9a6a189d001120
SHA1e4e236587803deb99520a1d19fea7ab01c46ce9e
SHA256ef33e77a6b947a41b5c9a062e826324a95b0cf7d90ace1b8bf231b4ea6fd8212
SHA5125c9c2bb8b8e524b6abb5ca39bdc211c0d699ac9b5225984d8803c7e31e1aa5792d92a2818c4c527fa51c1039213c1ace2de5a1c2573fd99c5c78529d27c4b3d7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[7].htmFilesize
151KB
MD56fb22da1c127c7bee1fdfa34446b15a9
SHA1002fb8b920a4c8e769e4f3562cc4c59b797375d2
SHA256e65db7c0ee0db8d629e257cc3505d786ac27b3eb529f7a0749b5f52958e65ed7
SHA512cfe33d6029691a62312a634dd37e9d579e71b3593a7937463e4c56e49d52d4bc8e2401d960a88f61d2bb1598106ef1b9d8ca11dcc399dcf0a57d0585e5e2910b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[8].htmFilesize
169KB
MD5de9d570d078e58bc48e10c7f37343a0c
SHA1cac4363dc357298eae0047ebd3eb110b72ffa833
SHA256a8646dcd562b9fc6d68ed5b9efe59642380d2dc78bc7fe4be282be3c2ce582bf
SHA512e69c7af6fe9e83b979fe0ad8a342b0876a117d8de9a9aa20edf9326a6707fcfc5f6aa71639f6b22d19d0fc3935dd70a8e04144c71829362b55a6832894acdd42
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\M47TPIL0.htmFilesize
175KB
MD5e430bdc58c7129cc8848c46cca8f23ec
SHA1dec848893ed6657ff5d46914893e89c7a2a96303
SHA256ecf1f6e042b2781f9c85e8c5a24b97d8e45657e47b1229f04f7fc805de306ae1
SHA51286047313d1d79c2d74aca31f823b90cc7ec5988dd229cd058529edffda470ce0dbc6af1d53819984cacc8fa7bcd72b0bc0d3318ddeabeac562b0414d5d1f538e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\searchGOPPSW05.htmFilesize
145KB
MD5efea955597c244b1358f44d423f3cf1a
SHA1234895541a5f325d344bf5f826634eacab286608
SHA2560a695473a25966c404cd7d1891393e3dfeb5e1709bdcd8e7eac1154e6a5446f9
SHA512c4bbc7d5ba028d08b941e6245a5b90a91dcadd686e61cc84cdef32bd41b9fe524d5dd276ae35f9f768266fcc67318aa819c832246c6cfbe0ac4e25f4b0cd7046
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search[4].htmFilesize
115KB
MD570ec2e42afae8ce05e885112b4aeb5cb
SHA18d60782847e9510745d52210bde787378365b387
SHA256459eec9f493dc38f42ac5509353d2b870e54089cdbeb24a1f1d3e23decf97653
SHA512dbf807b1a6750854f286f63fececfa870fab5f520a183a1d0c63d2bba4aedd2a962b39f8564374a5a185aee525ffe3dabd1b18e9aa10c1ad700ae8acaa0ec3c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\results[3].htmFilesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[10].htmFilesize
166KB
MD58284ebf0c66987715e57aee41f752312
SHA13f4bf7b673312743258afbc2e05e807b361fe893
SHA2566bc7fef6147fe53e8cb2079992cf128ad64a0a2c08ea22d89127b0681c31e84d
SHA5128833a3b169c4f18c5fa8436fb2d0072b7c5c545cf5483767fe30de6f95f488e2c7dd88de472b1f67c6cf49fda5dee5f5b6cb71084924e50e3b3e0d881238e286
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[3].htmFilesize
136KB
MD546aa8c6512795cc054966c7953d9bc6c
SHA176e99fde9f8afea5ec342caebafb092f95c009ed
SHA256b7797086425fce2422603d24b0dfb784084b848b74ea001042f32ffff60e3bae
SHA51213ba5199053543a82e283644a765b95c6c5d64120ff3a4aa39617c35e86098cdeac42129b18b726d096a5aa0de4af9cc9d055b9662e9ec87d3515d8f0e86ad2e
-
C:\Users\Admin\AppData\Local\Temp\tmp69A2.tmpFilesize
29KB
MD530bbd78af2de565ee21ec6f1d73dd051
SHA14530dcf565831b75cc3b5b85c7a86e944a5b3069
SHA256c86d285f16aa06e7b862f58c8ca7fcb730dbc81717bc316679b1074ee712602c
SHA5122eb76811f68b4e2a90b5ebdc7ce73c323c547601ddcc63764a8517a0f4c6b02bcbada47d2afe43c5f93abd13660337d61b7cf2e4e24fde21473435f01b9b15ee
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD55ef3439fc5c48b8e586e1f0a34dbb793
SHA19be73f9418d68b943c692b6a97e12df141f1f761
SHA256f2d45a4de31357b4406cd5d5436cd17748616edde77cc9beb925c791f3253496
SHA5128d4fdddc9b080222f81bc309bfbc9e7137888452b1779dd229ff09dd8681d7ea62461eb174f1bdd6fa35124957ebaa51be848cd600b8012e5b645ada94e12cd4
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD56a52bfb13a66f1f15ada54e74f5b432f
SHA18f37c12ab214a5ad652f4825a05c246b9617d710
SHA256e5bbad6cc85d448cea137e9fb9daa20b4ac233fba95f5466cb933d59fcde0f2b
SHA51299107c0809b7edd1eb3a2be6b4f64df404587fd08eae34b5e0b4184c0fcd623efdb747cd56e4b0dbb520d55bd3eaad719d64f5f3f99bae57a81fe058ac939244
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
352B
MD55722888e8b58cd4eef8a7e352ddc0b39
SHA1863c1b63d70927f4110cb8498ae0a90fea830593
SHA2567245a5ae8436e3bfc12e086ea0df2d48e446b7488e4724df56498b20f6be09a7
SHA512c64b4df3daa3da92e250085e26ff008d30035d0656f6fed258d2cc5bb9e1cf1dfc1efae4db808c8f71a6f8dc54d8948395e425e9a5fdf0e5552c010a98f0ce6b
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\services.exeFilesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/1184-329-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-0-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-147-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-13-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-37-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-283-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-370-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-331-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/1184-290-0x0000000000500000-0x0000000000510200-memory.dmpFilesize
64KB
-
memory/4296-284-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-26-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-291-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-330-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-286-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-332-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-31-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-36-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-148-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-372-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-24-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-19-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-14-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-38-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4296-6-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB