2e3e7e37d8036ab7892f82d7860b7fa815460cf50252b8072da637925a2b9814

General

Target

phish_alert_sp2_2.0.0.0 - 2023-09-30T105047.656.msg
Size

104KB
MD5

1bfbe9ecfad19197e0ece5e642584a34
SHA1

d071f84e89fe86b53df967768b8521f5c5b960ae
SHA256

2e3e7e37d8036ab7892f82d7860b7fa815460cf50252b8072da637925a2b9814
SHA512

555741bfc7dc5cbc7ac19d99ed7440898ef65075994def07c7a7d535b702365f9c9a4e137c8d36461ee6c91396ba4cc54716a3b391aa434f68d11d532bbafb82
SSDEEP

1536:ipjqSrYIAaIG6CExooeRg5//3ZKVQOh9MWCWdWbW8:ip+SrYIAaIG69eq5HpKVQOh9C

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2104	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	OUTLOOK.EXE

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0 - 2023-09-30T105047.656.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
248KB

MD5
135a2e70063b5d235f63a2c50bfe1834

SHA1
abf973eae8daa0826a143fa81386ed3bd5da9401

SHA256
89000dcb3567cfff83cdfd9286169ff178e5bab8503c901c27abe1dafa2b6e37

SHA512
15db986db07e1241d0511cc6a0953963b5a3573d7e55c3315e8fbd2e58275497a1150d0124f438c90ffaf130f5d8908e62bc42cb45412ba9c62eae385ada0a41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
3cb538998ff7f1b46b2a894e0b9cba30

SHA1
cfa251790eda0cf226c3f6c9deb51f97599ba780

SHA256
f4166dadcd5f591c24f41c68713894e178550f49dde879e4a12734bfb6082b66

SHA512
b3604371b6d1c4d21dc13f8b554a1988dab9fb136c0b9d5f6a01f1b3b285cd5d2a8328f33a44ee7b1f3791384eeed85dd0418288a161d3b34b85c9e27ffb1b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
9ceaaf889fa7da1d747722f11209f522

SHA1
73bcd856ff96cb99b614408fec7ebdcd0ab5fbde

SHA256
c33f74db9d6bb2cbb7cf332ed2b1df8d1884e20dad30f648f9d825e070f738ef

SHA512
2ca3c30ac91477151c85a7944faa555eb6741b796c19058595c5d7e50154d6e0764d8c0e62f3eebca4b00a9a293fec9ede140cdc509e67845728bdfedc7195bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
2dc2d94d585b18e486f195a7d197d832

SHA1
70b4fd7ba3a4d8137bf5091c56c57a86c08cdfef

SHA256
fabfe0d3f23d261115bc1d9148e75ea6c8f5efee7c9f8761f30e4f852ed6166d

SHA512
53b1c34824ff65f843de27cf829825107f5d524cb2d355fcebb8f4672f11bec9a34f966043796e1aa447a9485f59542466269fde4136354976e7da1f84373d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2104-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2104-1-0x00000000733FD000-0x0000000073408000-memory.dmp

Filesize
44KB

Download
memory/2104-124-0x00000000733FD000-0x0000000073408000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing