Overview

overview

5

Static

static

1

URLScan

urlscan

1

https://group-suppor...

windows7-x64

5

Analysis

  • max time kernel
    126s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2023, 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://group-support.zendesk.com/attachments/token/kEMhBUhxh4JYXxKzQQmiUOIhV/?name=unnamed_attachment_3.eml

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:3000
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://group-support.zendesk.com/attachments/token/kEMhBUhxh4JYXxKzQQmiUOIhV/?name=unnamed_attachment_3.eml
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WRIL45A\unnamed_attachment_3.eml"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      PID:2300

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5b43671cd691d24478e98f08a7a0bcc2

    SHA1

    d4add97f1c237e0cd1d7377d9c929afa276f0565

    SHA256

    e42ba1914afa33f2c514712c4caa857a92429393b6d97e4a9ea618f6fdffe2d6

    SHA512

    7a765f7bc2731e521c3353d7140eaa8f61788fe56236dbeda8585598e34dc4dc5ad3922825bcfbd8b5e1e1d26f9fc89f97090109e35e75d671082664af783671

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    6b037ab4fae848383a2b18f4efcf7c2c

    SHA1

    a285eaa3e1de48247f78c44014850f11d6b80f2c

    SHA256

    67f2233d7c3837f470b484f1adbb562796bdce7ab5815ead4b1cdcbdbbd11c94

    SHA512

    e7b03191ae4ba1e2fe199acdb23385c562aaf8456f5aa3854c8875e9750f79db8ef3933376e8661c113e11aae2d5cd755278c3210288c3003cb0fa5959c62218

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    225KB

    MD5

    4cdcebc3cb2ae609646ae01f019a2139

    SHA1

    c632c6888db26756d5e240f14369f231e3cc30bc

    SHA256

    c82d5fd4a4d2d80dc5438520c10fd156cd0be2ee32c56f17811800bda82a18d6

    SHA512

    e6881c2e0ea2df79175adaaef6fc2ce76a9e84218d0a40b2d9a067797a079579412aed3672466f37b0d84697fd5dd27a32329beb5fe36842b63daae73053f6d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    f0731d2ed10e4d04155f67a38a86bb5a

    SHA1

    1b45796edca64552abd4f8140af2c45d47713ab6

    SHA256

    de8a7ceec3c57d694f5a1969fa0fb3cd88ce0c346ad0e531c44ebb1f9b19efff

    SHA512

    6adea047cf61806d316d316af5e21324f3c9ad0c14438d3fc8bacb302bc39caaca61ea529d7cb9a0c786bcd694c0d15028e8f05fa22b74efee1f225036d999ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\unnamed_attachment_3[1].eml
    Filesize

    15KB

    MD5

    2915af1e5c096663824e9385f939cc1d

    SHA1

    fd4df4c77577ec0971b74bce673ef73898f95da4

    SHA256

    d0bcd3c54c8aabe90b04ad1c2226db0231cda55aeac4f4bdd4ec76b93d0a4e86

    SHA512

    1d5647bf983a29251f0c0c6aa04dfcc1f47f02e3a1e853eff2f689e0259f3212ef980bdc69b1a5e848d58deeaabda71ebf2e0838e6b5a0ad58a75c8f681cda1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WRIL45A\unnamed_attachment_3.eml.um3icbn.partial
    Filesize

    15KB

    MD5

    2915af1e5c096663824e9385f939cc1d

    SHA1

    fd4df4c77577ec0971b74bce673ef73898f95da4

    SHA256

    d0bcd3c54c8aabe90b04ad1c2226db0231cda55aeac4f4bdd4ec76b93d0a4e86

    SHA512

    1d5647bf983a29251f0c0c6aa04dfcc1f47f02e3a1e853eff2f689e0259f3212ef980bdc69b1a5e848d58deeaabda71ebf2e0838e6b5a0ad58a75c8f681cda1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULULORKV\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab736B.tmp
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar736E.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IDO8TV7H.txt
    Filesize

    601B

    MD5

    305e864799410104efcae17c70443da6

    SHA1

    df6979428f2c14ab496a9c16b7204b665c75338c

    SHA256

    31e68b84d63477adae9642e58f0f0009f5d4f740bdeb2637a1e374a6dcdd4aa9

    SHA512

    e1cf6fa6f3b57e72776399df0700686fa82a0f22b2a640fe4b69c692c86440c895092975bdbd75bbd77125e2d2a2792bbc5128710fe197517fccc0617d7f18b6

    Download Submit

  • memory/2300-109-0x0000000071F0D000-0x0000000071F18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2300-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-232-0x0000000071F0D000-0x0000000071F18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2300-233-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-234-0x0000000071F0D000-0x0000000071F18000-memory.dmp

    Filesize

    44KB

    Download