Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
11-04-2022 10:41
Behavioral task
behavioral1
Sample
1abde26b9be3f80a014e6cbca07d2662b322e5c306af881b9100f6cd6fd3ecc1.pdf
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
1abde26b9be3f80a014e6cbca07d2662b322e5c306af881b9100f6cd6fd3ecc1.pdf
Resource
win10v2004-20220331-en
General
-
Target
1abde26b9be3f80a014e6cbca07d2662b322e5c306af881b9100f6cd6fd3ecc1.pdf
-
Size
4KB
-
MD5
2351878a18e1c532299a59727a0f7257
-
SHA1
c3c864d0ddeca3c793a88f075b56bcddf75e09e4
-
SHA256
1abde26b9be3f80a014e6cbca07d2662b322e5c306af881b9100f6cd6fd3ecc1
-
SHA512
351b70d20a3bbc4e7c70afe095d74c9f761ba87a9948b95c1afc71e6ea0aefa9bc2304ada22932d73e340fbd9402046cef6c6f98c521a2b1566a63fa0a71325a
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 OUTLOOK.EXE Key opened \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE -
Drops file in System32 directory 14 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE -
Drops file in Windows directory 3 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 972 OUTLOOK.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OUTLOOK.EXEpid process 972 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1752 AcroRd32.exe 1752 AcroRd32.exe 1752 AcroRd32.exe 1752 AcroRd32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
AcroRd32.exedescription pid process target process PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE PID 1752 wrote to memory of 972 1752 AcroRd32.exe OUTLOOK.EXE -
outlook_win_path 1 IoCs
Processes:
OUTLOOK.EXEdescription ioc process Key queried \REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook OUTLOOK.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1abde26b9be3f80a014e6cbca07d2662b322e5c306af881b9100f6cd6fd3ecc1.pdf"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:test%25../../../../../../../../windows/system32/calc.exe%22.cmd"2⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- outlook_win_path
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/972-55-0x0000000000000000-mapping.dmp
-
memory/972-56-0x00000000711B1000-0x00000000711B3000-memory.dmpFilesize
8KB
-
memory/972-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/972-58-0x000000007219D000-0x00000000721A8000-memory.dmpFilesize
44KB
-
memory/1752-54-0x0000000075541000-0x0000000075543000-memory.dmpFilesize
8KB