935f2ed3787ddce80823c6f0e513c1a5865e87edf2c9597994e43c6ceb104ad1

Resubmissions

06-10-2023 17:17

231006-vtvqjsef4v 5

05-10-2023 04:20

231005-ex7aragf4w 10

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06-10-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re JUZGADO 002 LABORAL DEL CIRCUITO - NOTIFICACIÓN DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO..eml
Size

198KB
MD5

8763e44e3877ed4e503a69872c03a765
SHA1

5a2a5c852bb83dbefb1088f836fedb79bfa0c5bd
SHA256

935f2ed3787ddce80823c6f0e513c1a5865e87edf2c9597994e43c6ceb104ad1
SHA512

7cf1be7a3ef6a392558dab270b7c083c9cacd06a48d8f9e07d8f7bab29729e32fbc9763749499f009090e275e59b9368de55ff077e9b4bd89ab7c138cdb3c3a7
SSDEEP

3072:kXSuG3PsYtx7hPuUzAj+takLgdlbV2qcPimD0UOi+ksPnspTA8pmVkY2POJM:kXSuG3PF9BaYgdQuoPgspTAQY2POJM

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2960	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2960	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\Re JUZGADO 002 LABORAL DEL CIRCUITO - NOTIFICACIÓN DENUNCIA LABORAL ADMINISTRATIVO POR INCUMPLIMIENTO..eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
28c8af7f7a89945c9b25d178e6fe49d0

SHA1
abc52af9d66b46afe7ad348d59a07c5ef60ca082

SHA256
3c58d7d77d332a344285f28fe090ff65ceed6f6bcb3ef4fb69ef7d6f845dc14a

SHA512
a4b7d8e40f92c14aa645f177581af2ca37a221eec9f501ebb0655ea2c8e49bd014d8cf0604d161aa0f48d372c92b7ceb2fa303f75a875a2c22b67fc5c85caa5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
225KB

MD5
8d4c88e9c75fae11ec21a07dde144540

SHA1
49b23ced46722853459e4aeda749c8485e7aa8d5

SHA256
780e8a19c7a4db93fa22a2f8041ab255c67d480149c33c92dea7ef28804a3bf6

SHA512
e5bfea3e28073ddc9e71d7232524dcacd6a1f28358cb79f1b1e4cf79e62a30ac33f8de4fcd028d840f5d9792757239f45f21f1aa2fa4731d75306db36ca1db8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2960-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2960-1-0x000000007339D000-0x00000000733A8000-memory.dmp

Filesize
44KB

Download
memory/2960-124-0x000000007339D000-0x00000000733A8000-memory.dmp

Filesize
44KB

Download