Overview

overview

6

Static

static

3

Lazada Vou... ).pdf

windows7_x64

6

Lazada Vou... ).pdf

windows10-2004_x64

1

Resubmissions

07-04-2022 09:58

220407-lzv4tsbdcq 6

07-04-2022 09:52

220407-lwhpbseec2 3

Analysis

  • max time kernel
    4294180s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    07-04-2022 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lazada Voucher Worth PHP3,500.00 ( Reference # MB-92297560 ).pdf

  • Size

    496KB

  • MD5

    d5fb926b2e51aeda4baafe5b8a5e3be8

  • SHA1

    144fb55fedf75d2a57fff39a849babf4eaf59567

  • SHA256

    cd04570c16f5c8ce0412e4535dc22c0dbfb14f3cb0ff35047100cb84fda59804

  • SHA512

    5447041ac5fb2f8c3c23a4f7776a81eca8128d68e7a472f3c3f1e299e9cd878b6424a7900b085c05523a65305407020ccc2f33778a432e93d172466d2d8e2728

Score
6/10
collection

Malware Config

Signatures

  • Accesses Microsoft Outlook profiles 1 TTPs 20 IoCs
    collection
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lazada Voucher Worth PHP3,500.00 ( Reference # MB-92297560 ).pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://efdagjh.r.af.d.sendibt2.com/tr/cl/tdrP8MQhCGrZNr-8-33StuHwuy8Hp7Ekk_yt-VwrN55Ntjql-reZvQv7N0qpHjQ7Tl1MNwpn7XkBhsi6trw7Ej89iBNvPTpUKLVW1R1MJ5jkqw7Pjy2lwnxkPXRvaTU6pPDnhUAEWW1tqLFvEJ-cp10rZGzCBv1rpmTJUdLghgLS47R_jIqELj_pSLOODBbusxXTTJL-Q7T1_-gxt_-TODZ9dcRYwer_sTziTGD97vuILdhz-Olp83eKqYP8tcdR8uNv-a4pogPGTaM594JNe67j7gEf0xduRXWPoqwGVHrOvQoLZBDpnO5PS3mY8V-TJd-o-6nuISa2JjAGFTwzKAhwIMe-WVtlRexKe6D4RemsCiVl2-TITlogDB8k52upSHo5od-nYw0DEOxjBDMm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1912
    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      PID:1612
    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: AddClipboardFormatListener
      • outlook_win_path
      PID:592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4871e8d0b8a8f981ac21004cf96886e3

    SHA1

    fd51d98747043ea831cdaecf5f1eae75353e5ceb

    SHA256

    56797b92b606bbd1be7ead7c9078ec4b83ea49764b76d5998bc7758a537dfebe

    SHA512

    537e8f0d17f8f1cbd201246328f25849963bdd6b5de3be4a73934ef8a72519048c822cc1d668a4b466bb96a22a6b548551774924f5dcf97e2bf0ddcd13d2b199

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat
    Filesize

    5KB

    MD5

    fe3cda3ff9fe0bed872939df0bce1504

    SHA1

    2db4d3d91572b6b22c8db3e338f6322679048b4f

    SHA256

    707479f1ed9043a3347cb93da03488f27077d25346d31f5ed5358b10f72c1b4f

    SHA512

    cf333a89c9b570284a246f3279a91e8cabeef3ae9b4a48abc2507997e91a40f7fe849545e30e1ac9ab5276d5126d4332121af80f6670a57606ae0a7997a460c6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\outlook logging\firstrun.log
    Filesize

    82B

    MD5

    f43527e42c88329e3685abcb7d38c425

    SHA1

    27134e26a4ea5f5143ac94f8ca084f1b36656c69

    SHA256

    bb3f6795de102cd1fe84e42a12ceb2832753c5be383967db1b51ca2c722ef347

    SHA512

    42bbbf1e159aebf05e5fbff322fffc3284b3cd28ce884073e005f685e7c939d9548fa7277864a162e37f80fa4a55a32b5c8e4256a544114a6b35cd862c2cf23c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JAOGBACM.txt
    Filesize

    608B

    MD5

    8ba5188a672c666553287bd61ad374dd

    SHA1

    5f578aae9fa9431b0420d141a152deba7317a845

    SHA256

    8209c2520dfec4f36783661156e6e15c7f2ea5e7e35ab1ec726f6967420bb97a

    SHA512

    87dd2be04602c6035317f582ff01ae2087dd2a08302c383857481a72eb81bcbfc236b98fb64f9a85503d53ec6b780d0d3f74bb4b64860ba06048bc36b44a94a9

    Download Submit
  • memory/592-63-0x0000000000000000-mapping.dmp
    Download
  • memory/592-68-0x000000006F05D000-0x000000006F068000-memory.dmp
    Filesize

    44KB

    Download
  • memory/592-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/592-64-0x000000006E071000-0x000000006E073000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-57-0x000000006E091000-0x000000006E093000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-60-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1612-59-0x000000006F07D000-0x000000006F088000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1612-58-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1612-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1876-54-0x00000000763D1000-0x00000000763D3000-memory.dmp
    Filesize

    8KB

    Download