f7da207fd5dfef414b766d426dd507e1424e5f59418705d72221e41362284dba

General

Target

instruction.doc.exe
Size

29KB
MD5

6712f193958bcf5df51bbfe7e5966fb1
SHA1

bc2445f6dc75e9f46c71e6b15a37ceceddf3d37a
SHA256

f7da207fd5dfef414b766d426dd507e1424e5f59418705d72221e41362284dba
SHA512

89618303b831723b67cb95a4a5881492c4971486effa222d0fc5abeced3954ce5896781da0e322d8550cfa436e7f1ac0807407cf4933d86cd69037fad72976c7
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/ip:AEwVs+0jNDY1qi/qK

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
4288	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5036-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000800000002344b-4.dat	upx
behavioral2/memory/4288-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5036-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5036-42-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000f00000002338d-53.dat	upx
behavioral2/memory/5036-119-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-120-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5036-218-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-219-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5036-222-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-223-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-228-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4288-230-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5036-229-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5036-250-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4288-251-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	instruction.doc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	instruction.doc.exe
File opened for modification	C:\Windows\java.exe	instruction.doc.exe
File created	C:\Windows\java.exe	instruction.doc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4288	5036	instruction.doc.exe	84
PID 5036 wrote to memory of 4288	5036	instruction.doc.exe	84
PID 5036 wrote to memory of 4288	5036	instruction.doc.exe	84

C:\Users\Admin\AppData\Local\Temp\instruction.doc.exe
"C:\Users\Admin\AppData\Local\Temp\instruction.doc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CG8E3YOC\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YP0CAEAA\5E324UNN.htm

Filesize
176KB

MD5
39103f5e1c779be8d47a125645cc0aa0

SHA1
9e9d8389d862149a0eb340288b6b3b85d9ed1f1e

SHA256
38a62d473ec531df295c1fed155981a7d9382b01625e6dfacbc866dc4dc449a4

SHA512
a4013c6c5fd758f38df66f9dc74f8bd15c0d89333c4628bb5c67e3400af5b0a32f6c89c2a112ebc3bcef4e8c663f699feee10240114b475072431f685a6b701a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YP0CAEAA\search[6].htm

Filesize
122KB

MD5
4f798612a147e96b14aa32a2f80eb3e8

SHA1
ed3d846e619ba9484ad34326c8881a66c62bb1ed

SHA256
808b75b7dbcdf54adf614ecbc6e7855a70844da1c4efcca1ef4cafcb816b8314

SHA512
6a002439965a65dd57ef36e2c6dc6184b431db053b52229db31145fea7e11b3f66f8cf803c1f76ff6019decd4801c62a3287ed97e501a8a828a6d7ee6adf2bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA21.tmp

Filesize
29KB

MD5
4ddc74acf481bc38af56aa8bd8069a12

SHA1
51cdf26c9eb9146838873b1d09731ab42068f740

SHA256
d9b6f9b19749fb7fb2646d7c82a76660353661bdbae601eef8e262b628481607

SHA512
3c6c6194f6965f014dcd2e8ab92ab8c24209462b576b8862ae1ad1118b16bbd8544c5ca06e56a51ee6e879fa5afe11db4d563cd059557004aa4b5f83f2ae6848

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
9c0ebd642daf92351478f04958ba6644

SHA1
40c27bda58a82ecadff8824f2c4b44a4e3103304

SHA256
8c0022d2b22a0fc4802687ad417f86fd8ad0c702f8917619792a07bc2e1fec92

SHA512
0538e4c1bff801f7737e7c42230d6c6f6aaeaad3cc63e823fa5e7ca54171c3609db005e7f5f230942eb6860c2737a2a744e2ea090ddac29686e84d91231c05e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
92e98b8582c1e25b8e1c5c906f5d4eb0

SHA1
78cc6e4ef6f487e456aa52a4a81d8a1366d8b7d4

SHA256
ec1ee5b179cb6d69863c36eae4fdc8c7b72e198501c409a7f3b861c63b9175a1

SHA512
a5cd21ed47c5c529e5c3a44334b4d9b1747f68d5741d7c96120a262c6458954aa84015d8a8d086d4da211579c9e15e7d2ba67cc3cd6cf54969ac33c20a0809fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
85d7e05d9b42dbe1acec52c1899b6509

SHA1
5544df494a323a06246753f7f447a3bb98ad9f2a

SHA256
fd19338a0fc6c97a1da2b0baf07f8fafe66a062576feb2803cccd1254e8549ec

SHA512
6a8aae4cd809f296034e68d6f6c5713c4f599bb4b1c03d9c7db5b63ef7874985e74789888e3e8c7c98f49701b044e55cc974eca08e4ca54c92f6e712aa02f443

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4288-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-223-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-230-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-120-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-228-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4288-219-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5036-222-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-218-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-119-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-229-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-250-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5036-42-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads