7d66e768ed6851b0e4f74c94b7b86c1d24ee779e89d7dfc0f51d12a135d6e9ce

Resubmissions

19/09/2023, 08:52

230919-ks2glaaa53 1

19/09/2023, 08:12

230919-j37kxshg95 5

19/09/2023, 08:09

230919-j2f2ksfg2z 5

Analysis

max time kernel
127s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

message_19092023_0822.eml
Size

264KB
MD5

8d82bea1223c77cd66405de356255369
SHA1

aaab8ca3020caa2cf519872b210310a74d478b5c
SHA256

7d66e768ed6851b0e4f74c94b7b86c1d24ee779e89d7dfc0f51d12a135d6e9ce
SHA512

93e0cc21c2505a6294a677c641e9f4e21f77572fe92f59324e985c25a3e602845a120745dc7b0faf4051fd5841c57916b24e84d99d9afee0d85817869964f3d1
SSDEEP

6144:GPOx5diCley+UZ1hJ5+k/dLVHquGkcf3o4wUTuV6jPmreQViwY3GJ/ym:GPOxFYy+UZTJ5+wsuGkcg

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2072	OUTLOOK.EXE
1860	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2072	OUTLOOK.EXE
1860	OUTLOOK.EXE
1860	OUTLOOK.EXE
1860	OUTLOOK.EXE
1860	OUTLOOK.EXE
1860	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\message_19092023_0822.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2448

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
54bfcb6bbbf77803d77e81adc56be5b3

SHA1
c1c319772dfa9a52fcd699a93c73acb8788ae986

SHA256
bf155b379e91c4f3a233420e7719bf30ebab62ca648a0717f769b6c6bf1aa2b0

SHA512
fc0787452f3789f428f9c7f31f8b1dd4b43136e9332cf3d874391a8308971970627595f9507c8034ff1d2b2fbe400e071e28ae22dfc23022078918bd61904d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
84c275857325a3889c32f3274dc3c0ab

SHA1
8d6388d60b654d9ff2376d4390109ad829fc71d1

SHA256
8a1f378e2022a18dda68bf83ee3dcd33ea278edbcbdaaf45be6c627422b46e89

SHA512
89346ec0b48e6bb29cce44c0f838e5dc794cd338f0d6903e4f558c6f80b59f7d2036d8f2e8be450c00433b6669a5f6b05265673234f82abd7adb2814c68d7a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
6139bf11c973f7bdd99cb5b614db8aed

SHA1
b247bd87a04b4f17bcf8e33abcb63fdbd872991a

SHA256
34e45dd76a95ebbbc134ba6245054b40b705cd64cbfe11b0bb375839d3483fe1

SHA512
525fbf75a923a25d129a995baf10c9ff20a265c9ee5ea0adbec167e70e3b64e6d7c2f02238b0b1b2b3dd9d85ed7cfba928c184e066dc3cd204f55e0aeade528c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\outlook logging\firstrun.log

Filesize
82B

MD5
c32b6ee395520a9fbfe424a6853e1e9a

SHA1
20c7463e033836b8e4d4d46d3f63b9aa9d6442f7

SHA256
35a4586dca27bb600dc87ad7d926e31e7573e488b41c77a0c21310095ec98433

SHA512
19ce3d3557fef081056634f39566a88793014a4e2d0d602f6e84047953fd52909457b7f5d8ad702aebc899a0b8cf7e0bc32e569008626f80ed85d25d8c0e1add

Download Submit
memory/1860-136-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1860-137-0x000000007289D000-0x00000000728A8000-memory.dmp

Filesize
44KB

Download
memory/1860-144-0x000000007289D000-0x00000000728A8000-memory.dmp

Filesize
44KB

Download
memory/2072-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2072-135-0x0000000073A7D000-0x0000000073A88000-memory.dmp

Filesize
44KB

Download
memory/2072-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2072-124-0x0000000073A7D000-0x0000000073A88000-memory.dmp

Filesize
44KB

Download
memory/2072-1-0x0000000073A7D000-0x0000000073A88000-memory.dmp

Filesize
44KB

Download