e99234362a42f0fa1010f345ef0ae37d467c37283613c97b2e93fd6faf3143dd

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

608baf276843388a72352e8644e2f780N.exe
Size

41KB
MD5

608baf276843388a72352e8644e2f780
SHA1

2feb2b8bad00f85d90bc7771274096771eda8aa7
SHA256

e99234362a42f0fa1010f345ef0ae37d467c37283613c97b2e93fd6faf3143dd
SHA512

b897601bd52224036f42551fed648438c868cad4857dca085024836491de277096bfd272dee576766a49279402e6ef649245313e5fc30058a4dac56d95aca16b
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
4248	services.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4844-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00080000000234d7-4.dat	upx
behavioral2/memory/4248-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4844-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4248-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4248-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4844-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4248-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4844-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4248-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000a000000023290-53.dat	upx
behavioral2/memory/4248-204-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4844-203-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4844-279-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4248-280-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	608baf276843388a72352e8644e2f780N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	608baf276843388a72352e8644e2f780N.exe
File opened for modification	C:\Windows\java.exe	608baf276843388a72352e8644e2f780N.exe
File created	C:\Windows\java.exe	608baf276843388a72352e8644e2f780N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4248	4844	608baf276843388a72352e8644e2f780N.exe	83
PID 4844 wrote to memory of 4248	4844	608baf276843388a72352e8644e2f780N.exe	83
PID 4844 wrote to memory of 4248	4844	608baf276843388a72352e8644e2f780N.exe	83

C:\Users\Admin\AppData\Local\Temp\608baf276843388a72352e8644e2f780N.exe
"C:\Users\Admin\AppData\Local\Temp\608baf276843388a72352e8644e2f780N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DF043PQ\search[7].htm

Filesize
132KB

MD5
65bfc6f3fa0fe367c36221457bc259af

SHA1
a86c9d41a49ba3eab72e850999bf00579d9810b5

SHA256
4906d816b6bc15191dfb04deaf34f90a4d03e10d072e79511898e5584bc1dadb

SHA512
f3234e526775ed25698b40aa6b93606527e4c69125f3d8b50231e02ff01b77b067e9f7eecf7ff56d63f1f637940804ed0034fddaa7913f69be57c8890a054ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DF043PQ\search[8].htm

Filesize
114KB

MD5
2fe011c7d098c6cfd6479d86ab2ed130

SHA1
b9b89066f6c1c16d4c8548268e9182cea7299e06

SHA256
e923a514908edbf257b1ec5aaf0abe5bc3b9f2e3a2b7a06dc33f16f98397fd27

SHA512
2dda540053f2e13c83a520ea396fa383437fa0005f8922b6cc2ccf64c9241e4d3050ee69050ea18191999f99168980f9043a0f016c37e143dad243c2fd678b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\ZCUZN8JH.htm

Filesize
175KB

MD5
85fe2a8086dcfea7cbf72dcb0ee9d319

SHA1
9a210dbf4d8d4ae6feda638cd16416ca24b796b4

SHA256
46ac589c30d31904f63dd4c4a88b2922a13f0ae90118029b25f9381120aac52d

SHA512
09388a63922066947d68605d29957b1601441b5f7b7b275b0772b3ef5e9db710b22c772aac4a6f76e4a258eb05c000b21f801a675fb45467127e56200f7ae5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YP0CAEAA\results[4].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YP0CAEAA\search[2].htm

Filesize
147KB

MD5
200d44a746d4de6c794e44ddbc77a277

SHA1
58f17490db834e600c78658574deb4af5bf8c391

SHA256
3fec6b97861f157c956ba100767fb0e8d1955c197dc4532a8988f7eb5e6c391b

SHA512
9586539095763d55479e113a0ce46e8483cbeb976c039d135fb7f698dfaaa82d9176a3f8564ea8b1f50f83a6427fed180ed2a61e4a862309488259a021cb5d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlpedtg.log

Filesize
128B

MD5
d9d2259926e3701364f9326eb85f6699

SHA1
578f0933205be742040a48a813bae449de33dfec

SHA256
3af265604d60ea966db8d57b302ce3bb3ab04876f022d3ea1e52ca51d5c1e3ee

SHA512
1a564c19d5c3916bf64ff9d30f1c0b9b6d2c3e4b3355d9e8711aa4ef653b2205852f08cfa67d43a8ee39bab88aaa75b1a66034cc2b1edee5e508d1ba4f9dd357

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp

Filesize
41KB

MD5
4ad08ae1dc8b586203cc872fec00b175

SHA1
73d46491b93a8cee340a44b01f5e7a2a0bfe484b

SHA256
0f7acea08c305ffbe22c9621a74a2ed19790c37ba53ef285a32ff4b67f1ccdc5

SHA512
0792cbfca052d244b630b973ef15ad054fde7fe882541d40d51f5973f09deb605d9ffc64ed3fb4993193dd41250ce25bb808a206cfa99124bdc2c6336c7cf80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
160B

MD5
0e9601ff0d9e3334e0559e70c90d81bd

SHA1
bcbaeb5d9a9e0e8cd7e80da9c9c69cfcb8b34212

SHA256
00b3a2c35c0de8439c2d789528f37840828a69f04d0ca3dcd8e60f172562393b

SHA512
341e367ae9d6b2572bf1ebb8cad8b4e683edab0793a6447b1e0417c76bb08aae49fe9b1d272b67d1f394222a1dcbe1d724cc748d6ea83718d65c698a4200b75d

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4248-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-280-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4248-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4844-203-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4844-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4844-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4844-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4844-279-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4844-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads