Analysis
-
max time kernel
34s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-05-2023 11:10
Static task
static1
Behavioral task
behavioral1
Sample
ACCOUNT PENDING DUE TO BUSINESS LIMIT £30.00 Elizabeth.Kelly440@ntlworld.com GBP.eml
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ACCOUNT PENDING DUE TO BUSINESS LIMIT £30.00 Elizabeth.Kelly440@ntlworld.com GBP.eml
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
email-html-2.txt
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
email-html-2.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
email-plain-1.txt
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
email-plain-1.txt
Resource
win10v2004-20230220-en
General
-
Target
ACCOUNT PENDING DUE TO BUSINESS LIMIT £30.00 Elizabeth.Kelly440@ntlworld.com GBP.eml
-
Size
90KB
-
MD5
6e3d09d33d989f874f02f391dc20ef9c
-
SHA1
d3cced2fc02dd67afbc09777f2ce3676203b4be8
-
SHA256
2fe9279529ce707c7bddca0a77ddcd51cebc8a23d8342c5b13c12df55476f5f7
-
SHA512
4e238387565f9d6d5f14f3bb2b691bee327946e5fa5b1dba84a45dc92dd22f1decb40467026fbce90224cb7d75af0b2cf198ecf63f85a2b85d90de8b62819824
-
SSDEEP
192:rLS/92rZ/gZrasGJILKbXKQI4g+KfjA2ORuEOydOOTO9AbhhdqsoO1dFJOnOOI4t:rLtjBRP3WFAhjnK
Malware Config
Signatures
-
Drops file in System32 directory 14 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE -
Drops file in Windows directory 3 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 960 OUTLOOK.EXE
Processes
-
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXEC:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ACCOUNT PENDING DUE TO BUSINESS LIMIT £30.00 Elizabeth.Kelly440@ntlworld.com GBP.eml"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener