Overview

overview

8

Static

static

phish_aler....0.eml

windows10-2004-x64

3

email-html-1.html

windows10-2004-x64

8

Resubmissions

22-01-2023 19:41

230122-yeeybshe98 10

22-01-2023 19:30

230122-x716lahe43 8

22-01-2023 19:26

230122-x5qxvabd3t 6

Analysis

  • max time kernel
    696s
  • max time network
    686s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2023 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    phish_alert_sp2_2.0.0.0.eml

  • Size

    12KB

  • MD5

    a0a1d3029c6ef7f44fe7112bb59ea881

  • SHA1

    b0bf8bf1de9209b87190a4dc2d267de72685bc27

  • SHA256

    694adfef602d2ea796b3feac4cfe9ebdc0dbeb0daaee501b76df53ce0260ad6c

  • SHA512

    f1fabfa69533b20ec65bf14a3048f63f6fbf13c85e1e153b26e7b74d1111a3e916ee832ed2e9ce4e4dc6b7ec9e2290322c818add3cb0aabb65e8ae6f918e3ec6

  • SSDEEP

    192:ZIsmfIKrYS7R7j+Uvdb5fzJ5MVPFPDk28qldd5So7cbmflrhyF0KH:ismwKrYKRtvbfWDkYjd5Smcbmfl1C

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml
    1⤵
    • Modifies registry class
    • NTFS ADS
    PID:4996
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -url C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.0.1397110347\920369573" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 1780 gpu
          4⤵
            PID:3180
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.3.187203630\1252029064" -childID 1 -isForBrowser -prefsHandle 2492 -prefMapHandle 2432 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 1552 tab
            4⤵
              PID:952
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.13.410855962\1621168316" -childID 2 -isForBrowser -prefsHandle 3860 -prefMapHandle 3760 -prefsLen 1602 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 3740 tab
              4⤵
                PID:4900
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4148.20.124852530\1775011544" -childID 3 -isForBrowser -prefsHandle 3872 -prefMapHandle 4080 -prefsLen 7599 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4148 "\\.\pipe\gecko-crash-server-pipe.4148" 4068 tab
                4⤵
                  PID:4700
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml
            1⤵
            • Opens file in notepad (likely ransom note)
            PID:232

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml
            Filesize

            12KB

            MD5

            a0a1d3029c6ef7f44fe7112bb59ea881

            SHA1

            b0bf8bf1de9209b87190a4dc2d267de72685bc27

            SHA256

            694adfef602d2ea796b3feac4cfe9ebdc0dbeb0daaee501b76df53ce0260ad6c

            SHA512

            f1fabfa69533b20ec65bf14a3048f63f6fbf13c85e1e153b26e7b74d1111a3e916ee832ed2e9ce4e4dc6b7ec9e2290322c818add3cb0aabb65e8ae6f918e3ec6

            Download Submit