fe0a96654d43e0634cbb1075f940edc4e3a85c6d937b7c54210b148073e24668

General

Target

194a8080-5558-6ace-b9fc-6a9e6e5abb60.eml
Size

25KB
MD5

eeb95d541588ea59405bc30861245eb6
SHA1

57df10224dbcc8bdf6296963c710b51162818708
SHA256

fe0a96654d43e0634cbb1075f940edc4e3a85c6d937b7c54210b148073e24668
SHA512

6ade4b7ada3bb9c1e404de564765911cf3acfd8c8aa9958bef98d00cf0d03ee0634534ca914a87e8474b10caff5332daf51f04327dd069a576fb9b4001540d3f
SSDEEP

768:b6Vs0WASKaED2ya1sc4a8YfMZ4sa8YfShWa8YfSy2afBu1wYauXaCaafBux:b6VvSKaEK96U+

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1232	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\194a8080-5558-6ace-b9fc-6a9e6e5abb60.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
6190fc2d2e8928f2a4c53cc4c64ab66e

SHA1
2e8ee72875483f901f9964ffbe93e367dff7408f

SHA256
04c3db226e371f7085c89088f2ec8aff9376fe3f1e6ecd64c9f52263cd49b9a8

SHA512
3ec7f36d121ac6f89776424687354fb25835710fcb7ba8bd1e8891df75878c773056dd6938451d67f3e7caa13b5632ce501cefd5effdf1422db3bbe276155be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
99ffc72353b3dddcbeff87d6671105b4

SHA1
09c59dc59e01d56d695931cf10f8a7f8eb61aca2

SHA256
2d8139c18d6679539ae127d2fae1eb840835d4ab674523006515117f3b6be6bb

SHA512
f7e5cd5e11c33e0484986c3d43f94fa9a9e0ba64598b948c410d397734071223c9cf4569a0efc99f69f38e5164a3e439a277333c4866298d7da01938ef4daff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
99ffc72353b3dddcbeff87d6671105b4

SHA1
09c59dc59e01d56d695931cf10f8a7f8eb61aca2

SHA256
2d8139c18d6679539ae127d2fae1eb840835d4ab674523006515117f3b6be6bb

SHA512
f7e5cd5e11c33e0484986c3d43f94fa9a9e0ba64598b948c410d397734071223c9cf4569a0efc99f69f38e5164a3e439a277333c4866298d7da01938ef4daff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
99ffc72353b3dddcbeff87d6671105b4

SHA1
09c59dc59e01d56d695931cf10f8a7f8eb61aca2

SHA256
2d8139c18d6679539ae127d2fae1eb840835d4ab674523006515117f3b6be6bb

SHA512
f7e5cd5e11c33e0484986c3d43f94fa9a9e0ba64598b948c410d397734071223c9cf4569a0efc99f69f38e5164a3e439a277333c4866298d7da01938ef4daff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/1232-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing