f2a6d2b8872737d724fd39ec1b4ea8ceb5645706c831512dfca971caefe3b003

Analysis

max time kernel
1071s
max time network
844s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attachment-2.eml
Size

111KB
MD5

cf43717e1bfb213c4147deb2429e83c5
SHA1

5e6d40aa1e1f71e67eac03c365f279db9a8a9c0d
SHA256

d8dc1d6927407ebae9476f4ea3c12e15f15c734d5f067ac67ed80cc0505d5695
SHA512

6c0b4802f94984692bb34b5872b40439f7bdaf8249334f7c6e355506f157768cf626ec3d70fb0f676958cf1c4a73b06dc37a75e50c2d4e38f92be59e05953f76
SSDEEP

1536:gDgSaOkHS5ZRlp7RvoZBu5OQf8S8DkDY1FwLrozjgLumiQCdTLwqFPkv3A1fJ8ab:ZSqy/RlpVv8soQfQsIwLUuucnvm5P1

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ = "_CalendarModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ = "_NavigationModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ = "NameSpaceEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\ = "MAPIFolderEvents_12"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ = "OlkFrameHeaderEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ = "_DRecipientControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ = "_NavigationModules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2416	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2416	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE
2416	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\attachment-2.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
97960a1d850d23c85a189af635ec85e9

SHA1
d5aa3c13c2cc289046e6b3abb4b72bb5be21c3e2

SHA256
cc254d0085d60ca918af25baed540b131b0b0510e1002b33ebdcaca82ad7c49e

SHA512
6ac41d6c9b89aba70a820e9c3ae59cedaf921534514c51b9230bc164b79ff9b4cb05e7f862274dbaca92b39f821b29da839e1c3dd541427c7fe1b7fdc71a24c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
79b49415798e7a6343534f97e938b6ec

SHA1
ea2a367f4e21be56ca15bc0debe7d3b42bc32384

SHA256
80107d760b59c047f4631b18b9e5e8697b659daa9d922a0a03473e266d617ce2

SHA512
451c6f8d888bc8dddbfe0a0acc706cc52d6833edf5a35c77e2d98b090cc272fe634db192639a8fb9015c0d453c880c4aa553708ebef3742df7f9a1b5976d7fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
01f2e8a5b22b5125a85ef1a800c1e376

SHA1
f8998ab86c33c3da8074011639c05c22fb9f958b

SHA256
0ff1e0c29e6fc78cadb47f49d660c1ae3fb29175f85deab58d2f2fd50c6bf299

SHA512
f649783ebcc353685f17e24224ba096e7583861b2638c7a348d1ced4f456d530cc0a08c0e952581b8f2738000af45fae5ac3dd2962604625c381cf8e32dc4d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
a741621dc1e68aee46b0f51ff4b1f971

SHA1
0896e1480c00c4d74874dfd87d0d4aac27617f0e

SHA256
3c135e10d1298caa8754d4ed7731fe079fbde1ee2fd340e5c2de7645b5a3b436

SHA512
0de6899ddddb8241eb982af8ddafa89ce4d9c163b1aaaa526351eeb38c28719f9f8c3a80a3f22712855d6e60c9949bdf2695834d33329c7a10d2da53312e3fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
a741621dc1e68aee46b0f51ff4b1f971

SHA1
0896e1480c00c4d74874dfd87d0d4aac27617f0e

SHA256
3c135e10d1298caa8754d4ed7731fe079fbde1ee2fd340e5c2de7645b5a3b436

SHA512
0de6899ddddb8241eb982af8ddafa89ce4d9c163b1aaaa526351eeb38c28719f9f8c3a80a3f22712855d6e60c9949bdf2695834d33329c7a10d2da53312e3fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DE73EC8-2E0C-4617-961A-1EB58D87D987}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2416-1-0x000000007372D000-0x0000000073738000-memory.dmp

Filesize
44KB

Download
memory/2416-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-81-0x000000007372D000-0x0000000073738000-memory.dmp

Filesize
44KB

Download
memory/2416-167-0x00000000088D0000-0x00000000088D2000-memory.dmp

Filesize
8KB

Download
memory/2416-197-0x000000000FCF0000-0x000000000FF68000-memory.dmp

Filesize
2.5MB

Download