Overview

overview

6

Static

static

identify a...wn.msg

windows7-x64

6

identify a...wn.msg

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2023 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    identify and remediate data privacy concerns Shawn.msg

  • Size

    47KB

  • MD5

    ac02eed83496413011bdb7a080e0fe1b

  • SHA1

    cd51eaa00453f1532a94c818cb8de6a8c98eaa8e

  • SHA256

    d94e396c828a69305d0cbc45d4c401dbcee5fbf72cc11a1869c515ffd3de5801

  • SHA512

    5468a0125a3e0f6263d8538b9a1f8b48a15fbcd095c935ab51fe2a5aa7497d161dde4246192b278413a60bdf8c142be63f50137ab4219a17f85efb7c5493d4b6

  • SSDEEP

    768:tPdwfSktvMCPn8iqd2WsKHWsKgEuBv99KsFdA4eil:tP6fSktF/RtWPWxuBS

Score
6/10
collection

Malware Config

Signatures

  • Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
    collection
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\identify and remediate data privacy concerns Shawn.msg"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:2008
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftrack.join-breakwatersolutions.com%2Fu%2FeJwNzEESgyAMAMDXyDFDIBA4cOhTMKB2RmtbsLa_r5c9bkl29EKW1T2hZ-OZL7QB7xANoLbReUMmasuRA4bAA-m29ed8gqx7qyD7ppY0ZSo1UyAfqUZ2Yym1kBQmhzyhqHdqSz4fsInkY62_q-lSX9DrNzeY94_qaTC3PwWKKh8&data=05%7C01%7Cshawn.mccauley%40tceq.texas.gov%7Cfd45392b4b5e437302b608daece04952%7C871a83a4a1ce4b7a81563bcd93a08fba%7C0%7C0%7C638082745461686196%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bOYQFCpOK%2BSooNmCQeCJrOtA%2BE7jRrc9Q%2BqTrn8DQzk%3D&reserved=0
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    1be9c43450df748c491572a2096609b7

    SHA1

    f4fdc3d0a832a02ab049b28f39e3324b0fbf41e4

    SHA256

    c4e05186f22e1d698ea28e31b288055081b7c09fae3a8318870e3da06c81d5ac

    SHA512

    eeb3ed913b043c7841d0ee9c2cdb5aa26a486c311bbb476c240bd11bf9c1858ae9ee39f892532bc0bf53984c0ec0caf4c1b6979e7c992f2804e53318fac859b5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M5FQINCA.txt
    Filesize

    600B

    MD5

    4e7a9d04a9204be03b6a0034afbb1568

    SHA1

    49ac2221cb18c7d08ca9212fe889d0c05fe28769

    SHA256

    ba3f8a22f3913cf04ee742f72b73d7783dbf973f96c1641ac2584d1633b24ca4

    SHA512

    cd2fe44c615ddb062a7f82bf32b67594c961b7107fb8da1d08d1ca43e9a76093a85e0ecd9b92fbd99891767f535c50da50098be79fc979d065889bdafe082440

    Download Submit

  • memory/2008-54-0x0000000072AD1000-0x0000000072AD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2008-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2008-56-0x0000000073ABD000-0x0000000073AC8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2008-57-0x00000000761F1000-0x00000000761F3000-memory.dmp

    Filesize

    8KB

    Download