984d81d0eec2086985364a9f190a5a575e31740b171fb136e2e75a17c2ffde86

General

Target

recoverytoolboxforoutlookpasswordinstall.exe
Size

839KB
MD5

bcd11ebbaa06f6f3df4f84959f5b835d
SHA1

17bf8a8f06bc5edc9b76cfa38011baee0d413c80
SHA256

984d81d0eec2086985364a9f190a5a575e31740b171fb136e2e75a17c2ffde86
SHA512

4680186092ebe9b6a71e46a57c8382e5c83c7effad73b83887d1aebd4090e394dea748cc1fb9ea8a94ffaf1a3bc79c25f2e9aaa0ec9072c24f4fb038f7897a34
SSDEEP

24576:22UxSjabHuEXe4Sm3laMMuV4/V+8YaXav:22ou/ilD62aS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

recoverytoolboxforoutlookpasswordinstall.tmpRecoveryToolBoxForOutlookPassword.exe

pid process

4180 recoverytoolboxforoutlookpasswordinstall.tmp
4860 RecoveryToolBoxForOutlookPassword.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4180	recoverytoolboxforoutlookpasswordinstall.tmp
4860	RecoveryToolBoxForOutlookPassword.exe

Drops file in Program Files directory 8 IoCs

Processes:

recoverytoolboxforoutlookpasswordinstall.tmpRecoveryToolBoxForOutlookPassword.exe

description	ioc	process
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\is-9KBUA.tmp	recoverytoolboxforoutlookpasswordinstall.tmp
File opened for modification	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\unins000.dat	recoverytoolboxforoutlookpasswordinstall.tmp
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\Err.log	RecoveryToolBoxForOutlookPassword.exe
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\sss.txt	RecoveryToolBoxForOutlookPassword.exe
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\unins000.dat	recoverytoolboxforoutlookpasswordinstall.tmp
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\is-CARJP.tmp	recoverytoolboxforoutlookpasswordinstall.tmp
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\is-SD3FK.tmp	recoverytoolboxforoutlookpasswordinstall.tmp
File created	C:\Program Files (x86)\Recovery ToolBox for Outlook Password\is-QOCM1.tmp	recoverytoolboxforoutlookpasswordinstall.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 40 IoCs

Processes:

RecoveryToolBoxForOutlookPassword.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	RecoveryToolBoxForOutlookPassword.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	RecoveryToolBoxForOutlookPassword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 98003100000000008156aa4b110050524f4752417e320000800009000400efbe874fdb498156aa4b2e000000c304000000000100000000000000000056000000000082e29a00500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 94003100000000008156ab4b10005245434f56457e3100007c0009000400efbe8156aa4b8156b44b2e000000a36201000000050000000000000000000000000000007dfaad005200650063006f007600650072007900200054006f006f006c0042006f007800200066006f00720020004f00750074006c006f006f006b002000500061007300730077006f0072006400000018000000	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	RecoveryToolBoxForOutlookPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	RecoveryToolBoxForOutlookPassword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	RecoveryToolBoxForOutlookPassword.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	RecoveryToolBoxForOutlookPassword.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	RecoveryToolBoxForOutlookPassword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	RecoveryToolBoxForOutlookPassword.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RecoveryToolBoxForOutlookPassword.exe

pid process

4860 RecoveryToolBoxForOutlookPassword.exe
4860 RecoveryToolBoxForOutlookPassword.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RecoveryToolBoxForOutlookPassword.exe

pid process

4860 RecoveryToolBoxForOutlookPassword.exe

pid	process
4860	RecoveryToolBoxForOutlookPassword.exe
4860	RecoveryToolBoxForOutlookPassword.exe

pid	process
4860	RecoveryToolBoxForOutlookPassword.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

recoverytoolboxforoutlookpasswordinstall.exerecoverytoolboxforoutlookpasswordinstall.tmp

description	pid	process	target process
PID 4272 wrote to memory of 4180	4272	recoverytoolboxforoutlookpasswordinstall.exe	recoverytoolboxforoutlookpasswordinstall.tmp
PID 4272 wrote to memory of 4180	4272	recoverytoolboxforoutlookpasswordinstall.exe	recoverytoolboxforoutlookpasswordinstall.tmp
PID 4272 wrote to memory of 4180	4272	recoverytoolboxforoutlookpasswordinstall.exe	recoverytoolboxforoutlookpasswordinstall.tmp
PID 4180 wrote to memory of 4860	4180	recoverytoolboxforoutlookpasswordinstall.tmp	RecoveryToolBoxForOutlookPassword.exe
PID 4180 wrote to memory of 4860	4180	recoverytoolboxforoutlookpasswordinstall.tmp	RecoveryToolBoxForOutlookPassword.exe
PID 4180 wrote to memory of 4860	4180	recoverytoolboxforoutlookpasswordinstall.tmp	RecoveryToolBoxForOutlookPassword.exe

C:\Users\Admin\AppData\Local\Temp\recoverytoolboxforoutlookpasswordinstall.exe
"C:\Users\Admin\AppData\Local\Temp\recoverytoolboxforoutlookpasswordinstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\is-5I2FQ.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5I2FQ.tmp\recoverytoolboxforoutlookpasswordinstall.tmp" /SL5="$D002C,616334,53248,C:\Users\Admin\AppData\Local\Temp\recoverytoolboxforoutlookpasswordinstall.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4180

C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolBoxForOutlookPassword.exe
"C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolBoxForOutlookPassword.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolBoxForOutlookPassword.exe
Filesize
559KB

MD5
50cdf6ec022c7ee1110110fa5d521527

SHA1
65c284e03691acb3464abefafcae0c3737289a08

SHA256
8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

SHA512
e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

Download Submit
C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
Filesize
559KB

MD5
50cdf6ec022c7ee1110110fa5d521527

SHA1
65c284e03691acb3464abefafcae0c3737289a08

SHA256
8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

SHA512
e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

Download Submit
C:\Program Files (x86)\Recovery ToolBox for Outlook Password\RecoveryToolboxForOutlookPassword.exe
Filesize
559KB

MD5
50cdf6ec022c7ee1110110fa5d521527

SHA1
65c284e03691acb3464abefafcae0c3737289a08

SHA256
8ba4440c117bbc4d0925fe6d7d24f32cc404ab0ed2c1d277c1090ce3aa5f3d6f

SHA512
e28d80aa39ab8d737614e6e1180460db6d3a129ea1014c97908bcf5d204c480c5eea94246c693395e3294a6f7cce779eab59dc3a8711618786e1702ce5563d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5I2FQ.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5I2FQ.tmp\recoverytoolboxforoutlookpasswordinstall.tmp
Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
memory/4180-179-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4180-150-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4180-146-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4180-144-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4272-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4272-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4272-180-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4860-181-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/4860-183-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4860-184-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4860-186-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4860-185-0x00000000023C0000-0x00000000023C3000-memory.dmp

Filesize
12KB

Download
memory/4860-187-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4860-189-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/4860-193-0x0000000000400000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads