1cd1c254748f256b009f99cacd552b4273b6b67821fe419a2e3253b427ac09cc

Analysis

max time kernel
179s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

original.eml
Size

74KB
MD5

ee9effa2da720e452cc0a96baaf4c160
SHA1

476c55097fe21e5b95da3e802a5e3b5ca9b2d48c
SHA256

1cd1c254748f256b009f99cacd552b4273b6b67821fe419a2e3253b427ac09cc
SHA512

21c3e8b643e0a078a5a5eeb1c0446e87d3bd5c7f95d9ec42d8db6ea46405f592ef3bf716e44a33f64209ae96cf2d59ac29e761548eb1ef65c922c40d2fc6ffd1
SSDEEP

1536:JfQO39zOaUcV79mFu+e7Tr98yUwP5GZyJ/TpqiT:J4XaD19mE7/uyUycYB

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\ = "_Reminder"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ = "_Reminders"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ = "OlkPageControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ = "_UserDefinedProperties"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\ = "Recipients"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ = "_MeetingItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}	OUTLOOK.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GF4X0OBX\clubcar_Gerard Johnson.eml:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GF4X0OBX\clubcar_Gerard Johnson (2).eml\:Zone.Identifier:$DATA	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1292	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1292	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE
1292	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33
PID 1292 wrote to memory of 1360	1292	OUTLOOK.EXE	33

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\original.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GF4X0OBX\clubcar_Gerard Johnson.eml"
  2⤵
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
248KB

MD5
0e06972c523738b3b5ee36a839ffc34a

SHA1
0ee64e033cbdf7e73de70381999f94efb79704d3

SHA256
1521cc0e5f6960bd9f6ce304ff92565c9f61eeb0240cb65af6a4ed965546da8c

SHA512
a5b62667fbc79fcc93839ac98628063913693ff605df2184a6b218b32ab367047db2852a2364698bb4dd5afb02dc6bd882d93efc5c5244a727bb49d6d8e09f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
6c791f327fc22188d4c7c55d1c62c080

SHA1
e177b4fdf98a4820eea7b4b8f04190ed3a36e202

SHA256
3a8ab24c877828f84c8c39c4f54c53ca2a3879c535f5ad9a58cac66f7efcc925

SHA512
cac4db1c46b3a1869db304c8bdb22bdc9446681ad9d2db533dcdb05e0ed05c263447ac48cd57c5880023970bf014446e342adfd1d2b9a2619207a342bbd60db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
c58df02cc4e20814a170c5187e2fdc85

SHA1
afcfe63688041ce35196a52fe873dead20521c92

SHA256
9d9af14fe4663634c22e2566748065e0a8f22ea22b29d48257d7313cba2c5cfb

SHA512
2b6bd91fd805b0ded8877bd00d9b5423f29cbfdf141ee1feeb3276f6c66c4ae882809c0d42c500b3a3b36a43a7f76814f9bf31f43b768abfa113d64d310fac59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
c58df02cc4e20814a170c5187e2fdc85

SHA1
afcfe63688041ce35196a52fe873dead20521c92

SHA256
9d9af14fe4663634c22e2566748065e0a8f22ea22b29d48257d7313cba2c5cfb

SHA512
2b6bd91fd805b0ded8877bd00d9b5423f29cbfdf141ee1feeb3276f6c66c4ae882809c0d42c500b3a3b36a43a7f76814f9bf31f43b768abfa113d64d310fac59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GF4X0OBX\clubcar_Gerard Johnson.eml

Filesize
45KB

MD5
bdd1aabcbe8ac19c7ff104169a1d4f1f

SHA1
9d0b0244ac87372ec80b44bec9bd1154f3b96a39

SHA256
b9b1e00e54c8840570e2c689e47a8492b36eadf430d339a02583712da1acc2b3

SHA512
94cd11b2cbe24e07199a93c9089488dcae6f0d381834d9ab67a342c7d312fa26a78caa709ee77bcc0eac6e15ff31a8209f0a5afbc108e29f9c338993431c4afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3D15FD80-81DE-4682-A579-6ABD3D5A3D44}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1292-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1292-1-0x000000007388D000-0x0000000073898000-memory.dmp

Filesize
44KB

Download
memory/1292-124-0x000000007388D000-0x0000000073898000-memory.dmp

Filesize
44KB

Download
memory/1292-163-0x0000000068AE1000-0x0000000068AE2000-memory.dmp

Filesize
4KB

Download