31f655072655c9b8b7c6338ae9282441b96840a02bf24b2c470bdd2d843f1395

General

Target

Heres your AI-hero training (cue ninja montage).msg
Size

128KB
MD5

fc1d7359ed101fc80702f88cdf1f3a58
SHA1

e5a54ef063841c357c714d5ed582ed8f8a72d2a0
SHA256

31f655072655c9b8b7c6338ae9282441b96840a02bf24b2c470bdd2d843f1395
SHA512

3dc0b22cac86fce7519fe5445a3f9539002b70c88c8d9e53278c8c37f20978de5f5855c2990badb4bc6f962bdbe136fecf4c4f063bb43c3fb97ae1e750866173
SSDEEP

1536:JJksVUbzLNAV8DOiBCiAiAW0GWJWptIdejlcYWJWPvciInsI:XksybfNAV8DOiBCiAiAW0EtIdVkPx

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2520	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	OUTLOOK.EXE

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Heres your AI-hero training (cue ninja montage).msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
70019ddf097ba769f5804f4481490c6f

SHA1
dfe8852326827aaadddcb429769049ae8530f24c

SHA256
8416d0ca27fdbc2283c90c1ee619ee53a02b660f04567c07a23acd69dfc2ae53

SHA512
4474a0cf1e2ad20a77643f378a2bb1a9b9de30e82409fbd26e176da7a750f7b63f31b899a5763e17eb6963cabff54e56b34db31c52f6fa03b318f0c49b9a114c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
d629c1be7f7ea015d4d99d0f3a3af81a

SHA1
33857e24f85a27285b3dabc11c3d66d8bd656a0d

SHA256
d4ab9d38c065e3d8dfa91633b679f89544685b7f57be9dafdd36a4d278138ccc

SHA512
2e8a5073c3b7affefb5717f00e107f28017a54445e15d38ef1f2de2f1bc3e15f353b40116d38cefebe4cede2191265db74061ca92e52fcbc666adb721ab71172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
800B

MD5
5d70703422c4f3e8dbe75ff1ca11b51c

SHA1
2f1efe05b667952a49bda6699b09bfa6c4df4aca

SHA256
c53db102bc6a0383ff07b3965490504601825078b215673808221513a49fc037

SHA512
c69bc84d9a4837ada45a0e25a315ee26d1166f488e60c172e8c0746fee1cb033cce2598d882c18de7765290b1116349856d2b023c29c21f6312514957dcaa44f

Download Submit
memory/2520-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2520-1-0x0000000073DBD000-0x0000000073DC8000-memory.dmp

Filesize
44KB

Download
memory/2520-124-0x0000000073DBD000-0x0000000073DC8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing