b7fda1b99c32ccba740816ced5fc3a78c8e4f23337fd40b715e18f3864c4c4d6

General

Target

fd583930-553a-1777-aabf-24a93fc7df22.eml
Size

175KB
MD5

136e58409700f3dc1d7de4fed1ce7c09
SHA1

1d807a17e171d419b3a2f0a4ffb9c57d9314e000
SHA256

b7fda1b99c32ccba740816ced5fc3a78c8e4f23337fd40b715e18f3864c4c4d6
SHA512

b35a4a7b2ea4cfe5b0b43f1c04500f3994fd195f26d30a41ef1c477a8d8d9228132b2cd072e13a65a9be6eae4afe1f37fd85ca68a510eff3d5c0e8ab9ccc0782
SSDEEP

3072:bk+cc+O5a2nfQsgNtBxz/pDo6Rep/hCVyMf5fLxKGqk:bk+cc+hEfQ3Nlp0DhCVl5VKi

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1596	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\fd583930-553a-1777-aabf-24a93fc7df22.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
2dde7b2c361ace626787d2f33182b49b

SHA1
820899500903ec837d9dc1a4a5ae244d5f33d48e

SHA256
768b580cf18f70d263b1ebb14d403703fc7e4c22a503f1355574d966c89a9c0a

SHA512
756f7bed5d814e04a78dc6599661aee6b34e081280957e1791540695779623c83bbb7d47abdf0f9fdc534870a1236801993053d18a2b69a614d01bd4cf5c484f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
2dde7b2c361ace626787d2f33182b49b

SHA1
820899500903ec837d9dc1a4a5ae244d5f33d48e

SHA256
768b580cf18f70d263b1ebb14d403703fc7e4c22a503f1355574d966c89a9c0a

SHA512
756f7bed5d814e04a78dc6599661aee6b34e081280957e1791540695779623c83bbb7d47abdf0f9fdc534870a1236801993053d18a2b69a614d01bd4cf5c484f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
9bb83e23741cd155c10c672f500a9f5b

SHA1
47d55cb9eea20cf638b431e24aaa6437eff756a9

SHA256
9267f8a612a4219c2604323e711250dc849c82900c06df0475fbc3d1861fde21

SHA512
1463f79b823f267a4b481457efcc2bf6433852b465761622c7a3b9af285336a1207d5bbc3f06928fd89b37bfbae8b64ba1319534ad65e8cbc4b596791daf7a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
2dde7b2c361ace626787d2f33182b49b

SHA1
820899500903ec837d9dc1a4a5ae244d5f33d48e

SHA256
768b580cf18f70d263b1ebb14d403703fc7e4c22a503f1355574d966c89a9c0a

SHA512
756f7bed5d814e04a78dc6599661aee6b34e081280957e1791540695779623c83bbb7d47abdf0f9fdc534870a1236801993053d18a2b69a614d01bd4cf5c484f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/1596-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing