Analysis
-
max time kernel
115s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/06/2023, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
phish_alert_sp2_2.0.0.0.eml
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
phish_alert_sp2_2.0.0.0.eml
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
email-html-1.html
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
email-html-1.html
Resource
win10v2004-20230220-en
General
-
Target
phish_alert_sp2_2.0.0.0.eml
-
Size
8KB
-
MD5
9a84fdd3cddf477862e5511e62ff0868
-
SHA1
524d21890241f79862ba6ffbd3fea0f443785310
-
SHA256
f275ae8f79e23f56779559534a292f877725a43893dab8b8d1d9a872ef261a33
-
SHA512
ed0e8cbf514970441a4e10b35fe766812dbb8632e0fecdb2a318bd097b4c4e6f7f63e5d69df7d34761ecc96a3d990273aeaa72f04e1ec24f6783564944ae244e
-
SSDEEP
192:t108yXW7p1NQ6V500RT1Y4j7mfI5lrhPIOxG8t:t108yXW7pX9V500Nt7melF1G8t
Malware Config
Signatures
-
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2040 OUTLOOK.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2040 OUTLOOK.EXE
Processes
-
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXEC:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0.eml"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2040