7e0074c50d305669f28e6e06290c157284ea281c27afa52a3e3a35ad0cf59753

General

Target

ACH-Payment-Settlement.pdf
Size

10KB
MD5

1b3050166d96ad9fee0c5482fdb61c6d
SHA1

ae8044fd0253843a4411f9ee8c92f1eda4a6c18e
SHA256

7e0074c50d305669f28e6e06290c157284ea281c27afa52a3e3a35ad0cf59753
SHA512

b3441f798a96fbb772fc3f4afe970a33d6c9256f06f464f8867acfe1acc69587e5fedba82f8d80b58a279f57230418eeded911e9c0765022a52c3a4593ece605
SSDEEP

192:fY7y29gcpUVltHFHYpPvPrZm9eN82I3uC6hSkbtO:bcp6ltHF4pk9eHwuCUS/

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

OUTLOOK.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

OUTLOOK.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000e4cddc3a52891b618abfabc9236c47fb0cf588090015e760ed56041fc38e8de6000000000e800000000200002000000077f027c3bad0e907a4490fd1811a12b473fb34fb758b2fda21e0da5132cc5a01200000002b3b4742678ee7422f1938dc52ac2ea90860f1fd280a1a4fb1908305a2f76dd040000000ca8f2dfb6d0700922c116b5aa1912e82dd0d0f75cc9ad028ff0f547d86616bb4ee6cdc0018cd970a6fe743a2fb22c9b66af10413c8578434635c184ba2c17565	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02af38777e9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB887AC1-556A-11ED-A23F-FE41811C61F5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373580191"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000a0cbdab16f6beb2dc8fae331c1a4426e821ea1367af4a677b525ecfd0aceeee4000000000e8000000002000020000000e2852c88b7a35af91e72b9dca98aae47c17be86e563f42b3d2ed58bc2e2cbf2a900000006bdcee7e9bf162746cb96c25b495dc8486c6c248c8d0fff55d77809d98d412da4c663d50ee23ab0aa11b3cf049721dc1e29c33748b96032d46c2687768ad8b63d87192721a9bef40d67ef4a445d43b6583dcd24358c593e372ca9cad627003d5266041425fd029f4dc94afe976967e8402773c160ca2e63c28ae8f27531109b1a49080a5cb8b5abca01ba938533970454000000050909389cb20ee32b58ff577bdee9abcced724a666be24925f5d8ff2e1f695d837193b6f8fb49683763c90bd3aac79f8cf4a3df8d7e90ebdcfdfde7c8c00976b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1096 OUTLOOK.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1376 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

560 iexplore.exe

pid	process
1096	OUTLOOK.EXE

pid	process
560	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXEOUTLOOK.EXE

pid	process
1376	AcroRd32.exe
1376	AcroRd32.exe
1376	AcroRd32.exe
1376	AcroRd32.exe
560	iexplore.exe
560	iexplore.exe
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
1096	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 1096	1376	AcroRd32.exe	OUTLOOK.EXE
PID 1376 wrote to memory of 560	1376	AcroRd32.exe	iexplore.exe
PID 1376 wrote to memory of 560	1376	AcroRd32.exe	iexplore.exe
PID 1376 wrote to memory of 560	1376	AcroRd32.exe	iexplore.exe
PID 1376 wrote to memory of 560	1376	AcroRd32.exe	iexplore.exe
PID 560 wrote to memory of 1476	560	iexplore.exe	IEXPLORE.EXE
PID 560 wrote to memory of 1476	560	iexplore.exe	IEXPLORE.EXE
PID 560 wrote to memory of 1476	560	iexplore.exe	IEXPLORE.EXE
PID 560 wrote to memory of 1476	560	iexplore.exe	IEXPLORE.EXE

outlook_win_path 1 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ACH-Payment-Settlement.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - outlook_win_path
  PID:1096
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://vk.sv/OnAJKD
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
37ac3f4b15131fefe231812cc9b153f6

SHA1
236710b1d9f8ac0e74bfd43bc111a6dad2aee8e4

SHA256
4009d380265bde9ba73dc423f65a9cfef81b9c7cc3d0c598181235036db3d792

SHA512
3857b9478ab2e4c45e92a41639e5109e2ce28cf1adfd3b18e1f13c11700a58d891cbed8f777e9679ed9f84d818e0b4a1cf31f263b381c3e75e09db379891b4e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\61V5TXLI.txt

Filesize
606B

MD5
4d24d3d6dc22ba8b2e1c523cc8358d44

SHA1
12de922f048d92522f3a7d35511013d352ea8aca

SHA256
b21eb32da3289bd6dd05ecc2fad48411e162d91d2b20ac0757f1671574f1d93b

SHA512
04cde458905508fef82175ca3d8de21b7ffd431543a34f684e3cf61f31e5f8fbb867254b9e2f15a4943f1274adf1c92f7b3a54d40065c55b3fa53b5075657ffe

Download Submit
memory/1096-55-0x0000000000000000-mapping.dmp

Download
memory/1096-56-0x0000000070CE1000-0x0000000070CE3000-memory.dmp

Filesize
8KB

Download
memory/1096-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1096-59-0x0000000071CCD000-0x0000000071CD8000-memory.dmp

Filesize
44KB

Download
memory/1376-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads