d0cb8f41efff3d1ff4e2d6d239ac573b1c7b75f49993d51af3318e10dd566765

Analysis

max time kernel
137s
max time network
141s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RE INVOICE IN957576 .msg
Size

588KB
MD5

778b44ab1cb6740992f323e8ca83aa71
SHA1

464442247971b4eba7bd2b42cf97bae932c1c147
SHA256

d0cb8f41efff3d1ff4e2d6d239ac573b1c7b75f49993d51af3318e10dd566765
SHA512

f1d437b216af065cb9958d8486909d9cc4757497f94839cec445077a9fa1e245865e7b45c6fe35384d0faa64d4b18e56c85e137db73b57b98af102a27b91ce95
SSDEEP

12288:nF7E7aF/EAAf7xkuH5CpE0fO+bD2Cq7AN2:4AA9ME0fX/2C/

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_Classes\Local Settings	rmactivate.exe
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\Local Settings\Software\Microsoft\uDRM	rmactivate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\Local Settings\Software\Microsoft\uDRM\MK = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000040000002000000010660000000100002000000082c34f7efd51fcde7ea2f891b0adce45a888d7e193199cffdb32898e1f8eab2b000000000e80000000020000200000005336b503a993bf06e2d2680b0f75724b31d350fd699165379a8c3e1a7bced64c60020000547ddb8d306645b0c659f467e0982d09069cc784f3521aa42783528ccc6262c08c93fdeff391fe8bb4cf7bbf91143c17cf0f12f3bff4efa878b62d2676e83e5a511b2367a1aa20d508dadb928630b67d2180ca4f3641b4b97126a737a78c8b449de35e15f7260fc80326583c272f4989a5a8b2b6fa72af99b31e0826ad37e6b3296185d69a374396dabbf7f83a27ba1a1762492149cd92d413a361b16ff99018a199635a1ed81e19f92e5ade923b2f0bf08c00bd9ac2f8d159d1ad586f09ac3579efbf74a3011f53bbfc2210917551c2c2628d6c697eda251e246cf9ff4685c6d171baa6f7c524d99cae47027a2240023d73c0d810c522ac51e16e915dbe9c2c3e4d61fe96a85ae4f93d3f3def9f47ceb7c98be029cfb2aec7136b67bbce48ba4c41e86512337a4e86b44f727d332701c736e515c9668b04c2d7347262656c01b70efd3be8d8457b2717e19b8cadb85f19a735cecfa2b7559cdf5b9c18fba5926774ddf76be265841e598ccb07b36f8db459b812b0c87b1eaf9d864adb50aaae5a933df2297305665ec16db0fc31052f2db908b5b6a0625d0ed5deda5d1ec480479e51fec3036079432aaea72d4fecfb01ed27655654995192655c223e89b8fa57d10c3b5229ea79f51d84cb41e396b2826fd1257765bea9d3fd26aa62f36a5a678f247fead2db67b117b8347be89d549868aaeaaccbb1cc7e5296fde144dd48445a777463d632c7937391bef562db23398ac95418dbc2c3b19f00f3920408bb811efd663ed55d6b50cc8027919ec87bb5447e44868456fe66a3468f331f381cd731379f7de5a892602ef3ed8c9601dc6e0a262f5aeef0d8d7c9af58006eca73400000008230db77bc78100387d18fbb3acb5010e683ad8bb05ed031d336f9c85120aefddf57e6e5ed8a62737bb2b14782717045fc2a92a81c3fe209a6f69ac5f0b57541	rmactivate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_CLASSES\Local Settings\Software\Microsoft\uDRM\SK = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000400000020000000106600000001000020000000010c2f52c14073eca9fb91876abb3692832fe21f15b0e30b16db96982b2a0122000000000e8000000002000020000000fc58c3203ae001e30231b6e8f354450d6eedddd7e3704aa7f221fc6301ed6bc290000000fd5c888dd82dd44a69d09876a2df9d4660a1e2a0b904544d53933e371eba9bba0f23950f0d7b9f67a2e4496317b4bf1b6fe5ff626bc1ff8c335203efb8018f3d3c4538a0ec7787403c7e5f0b7fe4ddc5c5bae5c44eee3507877b238a478a6aa732ea841e8e92766f711ee0b0c944f21f32297ce295c65a197f429e80046ef28f252fe0cb2441c85a313fc532749a28584000000012ab8eda56b60d9bad866b3efa0e4227dab1e245f6aa9809d2b9bb833c5b374c28def47506b729a4909240a0983edd53f23e6db4ee7f3bc28ef7e3a31c91a7ec	rmactivate.exe
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000_Classes\Local Settings	OUTLOOK.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\8CPBB5KV\message.rpmsg:Zone.Identifier	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1532	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1532	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1532	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE
1532	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1568	1532	OUTLOOK.EXE	33
PID 1532 wrote to memory of 1568	1532	OUTLOOK.EXE	33
PID 1532 wrote to memory of 1568	1532	OUTLOOK.EXE	33
PID 1532 wrote to memory of 1568	1532	OUTLOOK.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\RE INVOICE IN957576 .msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\rmactivate.exe
  "C:\Windows\SysWOW64\rmactivate.exe"
  2⤵
  - Modifies registry class
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
530B

MD5
5e275db761aa5a23ac651af8f6c4a000

SHA1
583fe93323b8fee3be1469f2d1bfc16a091ebc70

SHA256
3b9b2f75b724fe5354d24a0ef729b8a2aaa8a9313166eafb1f73b07cf1a745ef

SHA512
892fd01ee561591cee4d00ae4cd3cc91a07587c097d6969f8392af87582f93c259c52dae17d161e22ba12bf47b0d4d9953cddcb7df91a4a0e4de1a9873c936ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51f0960416146e98638c5afb37886fa8

SHA1
720858f41ae187076a3555fb6ed6bf4086fe2df3

SHA256
542438e9f4a669354b6ee52ed74a8434ce9b862201959f0ccee755092dc2d2de

SHA512
96fae3c9be343eee29d66e973893734c147f5f85ad0e09b3fc02f4bdb4d378945cdbbda5a36a11a1eb7a34ccc3637237691c21e3a37976c627f5e9d7d48ba533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6

Filesize
222B

MD5
c625434d77713451581a1c4b073d4539

SHA1
94ab3050774edc7cd4b2ff3f037551eb816c7ca6

SHA256
005813516936b520449f5237855ac8da20797c22f10809c077c69c3b8cf4a6cf

SHA512
56766882be6b953a9aab815bad865a21e6d0e24c496d36a936aaeacdf72d2237308d19041d3197f923c1fb3e7db5e5f9f75868e74b1a984defea95ea5c540e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm

Filesize
25KB

MD5
b8fd6b5d10aa853e52040d6a590c92c1

SHA1
7c2312addc2482793b1f6d648201bc77996229a5

SHA256
465d7bcf13f44a01580bb87aa9435ca57f20b816d009a1cefbee44bf2d809a32

SHA512
b7ae463eb656eb082cc6a85022b3bff5c71bf1dde1347defe488f4dcf1f898f1b554a44b6c550c43c39c979128fcf5e02bad3f3023931fb5a12a4fce45abcc06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
1879f89c7bcb3ac8ee9054ee8bfbe402

SHA1
b4ea4bb80e9a6e908e389aa662d65858fad22062

SHA256
905db278931e042dde524350c16f87d74aad3ba6c92b18da9174f3cbfcd56922

SHA512
c4b2690837c938fb415c5804391f14ed3592fa0430a89ad12fcd8a6344bc98f8453f607f628c3f5c48606cc0fe408fa7988a28622640b05ec8451b2941c2c6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
1879f89c7bcb3ac8ee9054ee8bfbe402

SHA1
b4ea4bb80e9a6e908e389aa662d65858fad22062

SHA256
905db278931e042dde524350c16f87d74aad3ba6c92b18da9174f3cbfcd56922

SHA512
c4b2690837c938fb415c5804391f14ed3592fa0430a89ad12fcd8a6344bc98f8453f607f628c3f5c48606cc0fe408fa7988a28622640b05ec8451b2941c2c6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
1879f89c7bcb3ac8ee9054ee8bfbe402

SHA1
b4ea4bb80e9a6e908e389aa662d65858fad22062

SHA256
905db278931e042dde524350c16f87d74aad3ba6c92b18da9174f3cbfcd56922

SHA512
c4b2690837c938fb415c5804391f14ed3592fa0430a89ad12fcd8a6344bc98f8453f607f628c3f5c48606cc0fe408fa7988a28622640b05ec8451b2941c2c6a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\8CPBB5KV\message.rpmsg

Filesize
268KB

MD5
ffb9fa9d502245b8aeff1560d2253ceb

SHA1
443e7983a9758bd15324a1c7429a3e6dda52481a

SHA256
847ce799872674b948331eb2291e667b4d55f40d33683bad0a298b0e53d2e363

SHA512
63e6854bfa39d80860d81818c4f744642c0dcb33fad4f1d1d4c29d6791dfaef244fd66feff0dd4234c81c1671e115b2544c6eef25dec4399adeac5e4466f40a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\8CPBB5KV\message.rpmsg:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F80.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1532-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1532-286-0x0000000067F30000-0x0000000067F9B000-memory.dmp

Filesize
428KB

Download
memory/1532-287-0x0000000067F30000-0x0000000067F9B000-memory.dmp

Filesize
428KB

Download
memory/1532-178-0x000000007401D000-0x0000000074028000-memory.dmp

Filesize
44KB

Download
memory/1532-55-0x000000007401D000-0x0000000074028000-memory.dmp

Filesize
44KB

Download
memory/1568-271-0x0000000000A20000-0x0000000000A71000-memory.dmp

Filesize
324KB

Download
memory/1568-284-0x0000000000A20000-0x0000000000A71000-memory.dmp

Filesize
324KB

Download