c72533d7ba2f91f80be151f819b4b0b0d522ae54c63eac36a4f087d194f25ff3

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ca557d1b86011fe76ba6acc0cef980N.exe
Size

29KB
MD5

f9ca557d1b86011fe76ba6acc0cef980
SHA1

ecba9aa821359971daa9820abd709bcce746c490
SHA256

c72533d7ba2f91f80be151f819b4b0b0d522ae54c63eac36a4f087d194f25ff3
SHA512

f47bfad3fff97dcf0adf79a152baa8a3f8782fdf12d044603b52755bd8dba4312b40168dccb9e4a0bd970409a3f8c5bbbb5d9b8437d55b47ef559a3b55cf8c01
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/q:AEwVs+0jNDY1qi/qS

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
2800	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2828-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00080000000234a9-4.dat	upx
behavioral2/memory/2800-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2800-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2800-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2800-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000400000001e738-44.dat	upx
behavioral2/memory/2828-129-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-130-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-217-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-218-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-221-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-222-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-226-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-227-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-236-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-237-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2828-394-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2800-395-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f9ca557d1b86011fe76ba6acc0cef980N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f9ca557d1b86011fe76ba6acc0cef980N.exe
File opened for modification	C:\Windows\java.exe	f9ca557d1b86011fe76ba6acc0cef980N.exe
File created	C:\Windows\java.exe	f9ca557d1b86011fe76ba6acc0cef980N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2800	2828	f9ca557d1b86011fe76ba6acc0cef980N.exe	84
PID 2828 wrote to memory of 2800	2828	f9ca557d1b86011fe76ba6acc0cef980N.exe	84
PID 2828 wrote to memory of 2800	2828	f9ca557d1b86011fe76ba6acc0cef980N.exe	84

C:\Users\Admin\AppData\Local\Temp\f9ca557d1b86011fe76ba6acc0cef980N.exe
"C:\Users\Admin\AppData\Local\Temp\f9ca557d1b86011fe76ba6acc0cef980N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\searchE5UQSTK7.htm

Filesize
149KB

MD5
ae193323177d6d272cce36d6ef7c97b1

SHA1
d05bc97266cf1483af04f36ca274fdc1dcb388a7

SHA256
aed9ca1618f7d8fb285c0b6f650969651ff92ca982b05276d10184b60c342af9

SHA512
91d03799e2708ed1efbe2121197a21e0dc52c488481940f10efee027056ee40de513cce212bbde013a14d55448aa4713f55c3f5b08f6a6bc5096d90782f5939e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NTK5APBE\default[1].htm

Filesize
312B

MD5
5431b34b55fc2e8dfe8e2e977e26e6b5

SHA1
87cf8feeb854e523871271b6f5634576de3e7c40

SHA256
3d7c76daab98368a0dd25cd184db039cdd5d1bc9bd6e9bb91b289119047f5432

SHA512
6f309dd924ba012486bcf0e3bafe64899007893ea9863b6f4e5428384ad23d9942c74d17c42a5cf9922a0e0fd8d61c287a2288a945a775586125d53376b9325c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NTK5APBE\results[4].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NTK5APBE\searchKXVIY90F.htm

Filesize
158KB

MD5
130ac346e34e1674490b244411e7fdf5

SHA1
b1ff2b0ff9c2fd47ba5b8745e26df99c9ce20f94

SHA256
ec6ba5f8c4d3f21417fc77d6d34f08e445e11342345dd19b28c63c7a2808ef44

SHA512
e9546d457a27c0ba4906e7d832be49e10f06b49e26efb512e2bd3f6d329ee3ac4eae52a68e7e536943d21440949764064fcdbb2033d87e3bf39c0b8095d0d294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NTK5APBE\search[2].htm

Filesize
121KB

MD5
ea4f0f436ccb72d78f578f21010c974e

SHA1
c255ea431842ec20e53bf294d92577b29bb46b67

SHA256
4508aa99eafeb201856e5b6cb66319334adc2c1c821d9a8b124880e561e9ce1e

SHA512
73163c495455ea9f5c346a74c998b855ec9f244b286011f343723e4d7fdb4744c1bf551bf8d547a1db02835bf6ef316430159116854ae237da5c5f0c3a42099e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NTK5APBE\search[3].htm

Filesize
108KB

MD5
db2fcff827ab0046887dfa2a2321df59

SHA1
19cbb88db931c2738027600cbcc320d82c701562

SHA256
e1d7e9bed4292aacefc0f1e87801f1438d222677baf158f4a0efcc58426f37db

SHA512
7b6868cbf8e4a88e759bbcd673afc2f32ebb1e7b7d042300f5a0660f77283f963de880271def7ac9a329d23e63514583130a9d4f475e51e877d84fbe79879e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R9TFLRJ7\B9A295UK.htm

Filesize
175KB

MD5
bd8085a3ae1634d6b68747b47e502b04

SHA1
cd3d1120c284c0f3a8102c9bd9830560cc566100

SHA256
2784bc8f7262cd9f29bd9fdfb904dc1b4d82c3e27e06a10330b2a786e47df9cc

SHA512
2ae2492b4406f3e5727a5a4607e9a732e52e5c587d30f9c168b2729d33a095ca11806609c2fe8438b2c7925dfd1ff1e6762d59fc894ca1b08f72270835a13850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R9TFLRJ7\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R9TFLRJ7\search[9].htm

Filesize
115KB

MD5
7eeae46d1323c46428320be6a615d624

SHA1
4b8bd37ed27db1d4f1a9e1a83c5b0b4e81730cae

SHA256
022432eeaeff3ddfbe52ac0bbe479f90c02fad7ae53274dc2e64f5a1b040094a

SHA512
24fc88ec9c27e43aec97544c72cdb3a1782411fa8ebe732278f19a9ff50f9ddaae0b317a9bcd51f78a8acc1714725b9844df5836c48670a232f0d519abc19787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S20L3CYC\search[2].htm

Filesize
137KB

MD5
3c6ccd69d4255a7340cfa4db68aa3719

SHA1
32248eb292edf7c0036485d1a5b24aa21a3f933d

SHA256
c7eaa15ba1a5099965eed89ec528162c3ed3858df7c93961aef163ef04fc36b6

SHA512
60b3947006553f3f025da22700c767df62fd7ed982c9abb0251f103c406cb6c2896e28ea66fbffa5ed0644c6840eb17fad7d5ddbfc53526ed94ff22bb0275195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S20L3CYC\search[4].htm

Filesize
120KB

MD5
56239b8b2c413fa5c38d8818a4427805

SHA1
16df758d1c48575c68597fc8b5b68f549c2a5aeb

SHA256
243560aa39bdc2af81b8272d8d73dd1266d915006ab39447cb93b40b67fdc7b6

SHA512
14f5ca8a3bdd9b21738e19142f56dc989417070acdb26ad7e4444c928e99631ac1c3aaa147ea1edd9a35bd7e7451b2c2ee88315086618c26e87ebfca5773c961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S20L3CYC\search[6].htm

Filesize
134KB

MD5
a309ed0f22485d1ed164947e0fdd94b9

SHA1
7925a3f9b70b0663fce772275eb4c7876d9e2d27

SHA256
0c893aab5295b3ad1826cdaee947aa60c7a81d051e67d949d544e77c8b96b539

SHA512
d296ad38335ddcc6724c4ee14828800d9970240b202601dd9e9c658b68d9dfa518cf10568a6c8dd2c0178caae1824b30aabe709ca9c9113f073f51c2f3e4f29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp754D.tmp

Filesize
29KB

MD5
d618500729b7748909de9a5a97d19d53

SHA1
a77088fc414d5e19f314df80ed19ffcd6dfd879c

SHA256
113f394f7439a459b1d8dd4fdff510f003183d968f909dd6ee48e7f088f13c89

SHA512
2f776d60b979ff64c0a867830f7c7302ddaee160a7d3100215c344ef44163632cca0ebbbd6c6e42b4dbac5602e90a2c54bc837c16ce64059f309973ccf20ca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
5602268e2527e8bf18c1fa9a2f164b30

SHA1
2c96af368d7fec813b1a956d5024b0999520d1ed

SHA256
4493f3a94c332418010a34f736be27fc4aec2be8bff452398ce6ce248a72c3fc

SHA512
d1eeea12f92c643c5bf82a67ff60b2db4750f4237eafb21a3c6adb63d4b0bdbee54bca9944b72ed56ff26f4ff6687f42243b01e6f3f8fa6ea0ccf654b16ee731

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
21731d8447e8552655e77e643585c353

SHA1
a4942bad1be2c0ee05014d32bf911581a9d7fba0

SHA256
ee00622bde9a82e1fc69369343be2eda732b081fa0f2851834e8964988034fe2

SHA512
d49594999b48460619bb8851ec6431f7824b6f01d17d3d18435a35e70897548f4fccad33c631154575e19f0ed7eeae80d10f55300aeb70f6cf01e6112375e3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
d624273837e75880a14e28417ee9d7b3

SHA1
e15a746c014524b5fe45a1bec15a457e650de90f

SHA256
538f5f4d0848649340c6a5da7c5972b83732f8092785e4805619bb9ba0039484

SHA512
ae203a75f35e0fca2e2ff7089d0775d30f1e96aecbe45a61c69a5e545d7cfd505815360b31cb5828790dbead4f0454565a6ab7625ea4080a845261150f3d6ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
5c5dafc86a021247e12353b1a660cb98

SHA1
cda32741cf2d193f0057eb56cffd97d5a1da82e2

SHA256
e2e0fbf29b58eeaa8c0e1bf8c5fcae194718d3b0eb4410d1035abfc74c1bd651

SHA512
dd72031464e0adff0b5be5601cfd893f8b338d0f81f3b40c1939593ba282247941c7cf1ba25d36ed188996b333aa0fa1b2e0f1959ee19c319b47024b5bd622ec

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2800-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-395-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-227-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-218-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-237-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2800-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2828-217-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-394-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-129-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-236-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-226-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2828-221-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads