2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe
Size

41KB
MD5

6e4fb4b95491276e9b11df26536c0960
SHA1

d18f2396c57bb2d4121aa25ec08ba1f2d67e61fc
SHA256

2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde
SHA512

07330a35804aaa0b4eaf5d2bae68e57c578d42ce53a14638ee40a93050b935fd9ccb3e6f1c94e0be6f9f195fd57693f45f94beb76cb4b1d12f222d2591626042
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/u:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
1224	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4432-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00090000000233f3-4.dat	upx
behavioral2/memory/1224-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4432-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1224-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4432-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1224-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4432-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1224-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0004000000000703-60.dat	upx
behavioral2/memory/4432-215-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1224-216-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4432-246-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1224-247-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1224-249-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4432-253-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1224-254-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe
File created	C:\Windows\java.exe	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe
File created	C:\Windows\services.exe	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1224	4432	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe	81
PID 4432 wrote to memory of 1224	4432	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe	81
PID 4432 wrote to memory of 1224	4432	2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe	81

C:\Users\Admin\AppData\Local\Temp\2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe
"C:\Users\Admin\AppData\Local\Temp\2b0cc6b8f9bbcc11dc232ba9c988994b04530429ad12a1c0acc0080f38a08bde.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\search[1].htm

Filesize
156KB

MD5
721a22a80679d6b3549ffcdc5060236b

SHA1
a72b6bd3943f29deaff9b420fe04423c95e42f7d

SHA256
22ae850ddb8623745c4abb29db1b98c05d6e4051c2fe0f8679c4ded8403c213b

SHA512
43ec3ea32890b08a24261ede622b2274fa8ff5ed321c40b5e9351b379b3b43b32258f5e3479161a9d5b3676baf1abd8d65e9740a656794ea7e498c0f71f9ad9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\search[9].htm

Filesize
157KB

MD5
9b75de6a2ffba63c7c8439ee356559b8

SHA1
1271987451f05134ca2eb0e7c049cdecab94defb

SHA256
b79b68c73bae024081cbb2697581c4ad555c8cc96f4744644911d25bb3b4bb4c

SHA512
e89b0b65fef089a662bfcefe58479dae38ef9a20f1bce98de634052a050fabb9221da5138284f45d513da0493c0814c080af50ba722dd557a1639c020511bb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\OLVAY446.htm

Filesize
175KB

MD5
37008a0e40a0da92935bb39608c527dc

SHA1
1679d433ccca8e54232995c22ea3f90720457e08

SHA256
593b636c1b66248917bf85a779003426fb22f527d9b07a9ba257c1de0685baae

SHA512
7f099cff286c8feadcb968d71fe248901b310de6c99debb219f1c1a85edffb823a58b692faa1be289922df69881a24d8a76b6bfd4e7d0e2f57f668d47fc9eb81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\search[7].htm

Filesize
129KB

MD5
85071801ea836a4a3f26b51d30447c48

SHA1
87d3a24d93ed645536a143a2a09c19a8d687bd8e

SHA256
850f9585cacede240a094adad9117412758561f96a566030f518976fe92d0a7f

SHA512
2ebe87a1bbd8f76758fc97f8e0cf8607d201f014b272a98641ca0e2aba60d2d7e99d9d8e5c719840d50a46864bed04b3f7c4248722d18d278b207126678f69e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J2J1W33T\search[9].htm

Filesize
117KB

MD5
b228fcf8bb5f0d070e5a5331f510db46

SHA1
d6b1f6fc9e8ce9cae0fca2d9841ae8427381a601

SHA256
a853da797eaea9db022aca2218a000f3ef0e0e6ad9cbd577ef7631c8810e43ce

SHA512
d7336470ab37a7a42177a69f35495219eb5fdde096beef0d52b0ffe1786185f4d00b89e661b0c7a618b2690bbdd7f1fd299f0e8d57a1d8e1449264e333050093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC522.tmp

Filesize
41KB

MD5
fce9da2f0ee3a6d72fdb337b48e6bf84

SHA1
71de11a912c8e1137401931cdd0a9f517a5aa1fe

SHA256
8b46ae3035b68269e0dd9f6949ea9318c96f31e839c13e99e85ec5ab00dafc9d

SHA512
f3ce4ed64c50f6c4e398c7470d3f800a897b2fba8432a4f7012e34a871ac7a0d32b422f37849046ee3f678fe03d8b13d29cedee90994a395e9fecf74da7c23d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uCu4vn.log

Filesize
128B

MD5
58323e482ff0cc7f1fad11c95633db0d

SHA1
fb1b0c45a77380f499f6dd2ab8ff15105cecf490

SHA256
f7584f3a4fd1cad345c3f66d9a4851ac63e326ebdc609f99992212dd63ada6bc

SHA512
5720a9c6595023624faf8797035e48fd95e267d188c350e7531e0fadbb6b594b745193a7df35ea18beed1fb66b04e916118de41339d1cdaa4c57cb8a5d6d3b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
0bdf0b6ed46591828aa664e57f529b19

SHA1
0c2b08bac1deffa716c8bfab445b1723cd417e87

SHA256
305e5a7b513ac724a9c4a1476046a20fa082877695e3ed09c5efdb97cbcbaf3c

SHA512
2c0593e9d001e92587879123cdef87e12bdac85e84dae5d0c4c27764a594d5a0f0fa2d068813426a13a5dfbf8e87f9f831fa7eaf8cc68992d4b204699a4c45bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
f77ae2eb834f788f4cd5f4ce0b3242b2

SHA1
e9c8c293528d9527c184827176b65370a4659eac

SHA256
1784eddd60a4d927a9c53e9fe08ad85dd2f6d77e68f976fdc7a44767f0bfcda7

SHA512
365800b4e9a29ca81964abc8e147fa76db0ac5c7e0af4663682ce1d5a461605c7f662015dab513a6f13b06b625d8110072ce73a771c518ceca93c68f7f2ec418

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
34f53c0bcde73bad377420c55620ae86

SHA1
a22793d7061f791fe40dc00141c0c6331a3d969e

SHA256
dfbba862b0e040a12dd2d902c2eafb2f7be8f53a8f7bdd9af039759238cf757b

SHA512
6143c7e6698897a79f7847de7c98a8e4f9e9b38da847f498c49eccfa565b9dc5887f18bee442936f2ccd21c9a305c5827edfa6ff5d2f49ef20a4a89d52177c55

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1224-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-249-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-247-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4432-246-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4432-253-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4432-215-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4432-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4432-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4432-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4432-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads