5d6fbc3d28cc6b6c977b3600887b2635d1c2d5089db2374c72e27cecde090f54

General

Target

EDC-Ticket.exe
Size

13KB
MD5

0b3e9efb1fbb190de627c08f2a8acc95
SHA1

d7933285b41c2d97ac2039c6982fc927be159df9
SHA256

31dc14faa78d8ea6f70a0552e2af691e70b098a385276eebbd4376c0c6e2ec88
SHA512

9846b80bf2ad84207e94c10d25e734ee92672f46855b99802afd28c5f9889075b011c4a087acd40bb15fad0bcd7f25b17b74a58332bebc5b3c4c3627cd6858b5
SSDEEP

192:RL6Bv89lVnOYt43tQakvAvIkvvJKIcsKnawopVevxOjy/Akdm5P:R2yBOYmCAJKIcsiawEV6YB

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2092	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2092	OUTLOOK.EXE
2092	OUTLOOK.EXE
2092	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2092	OUTLOOK.EXE
2092	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2092	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\EDC-Ticket.exe
"C:\Users\Admin\AppData\Local\Temp\EDC-Ticket.exe"
1⤵
PID:2468

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
ef888db14731388dafb493a170fe35ad

SHA1
4253ded52c1fa95d5212110f9c1beaea340be27f

SHA256
78c28927bd71a4157a150dc71447c873ad8efcadd1fd3cf8e579085b78693b9f

SHA512
ae194f61cd59db08466bd544aefd074a209461de56f85d8dcf2ec4c8245d666b1bad0a715f881e2210aa2b1de046600e7566c1c045ae4a3bb966f4583b28e1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
29e72f549596b812085a42a99b71b073

SHA1
6f3658fe7c58b67c92304bdc6b9776ba20df2032

SHA256
f417b01a67253b553cc46088a7e8ac440830492f3712c4e49e7005334375d5a1

SHA512
27ab2411129388b6956bf0ea64d1a7fc68bbe40f76fc2df9e34a6af241de2e3602d17ae7c0fa769b6e60b9ddf233eb56b630d015c46e1be303b8b2c3b6aa59ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
b213f0396cf33748845f680983131598

SHA1
0215e99733d3a5765bb922d4164789e87a634318

SHA256
ee005e4988d7f84908212bbcf9495f1493e8c7d8d92fd59d71a330627ec83c24

SHA512
c4ee9ffd48f3133592c04ef9334f15b725eb06d3f4084893406bd5d44dae7036cf7f6be832d52e92318086caffb2c0dfeb674a581e570a58bcacc1248f67ab7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2092-105-0x00000000737E1000-0x00000000737E2000-memory.dmp

Filesize
4KB

Download
memory/2092-5-0x000000007331D000-0x0000000073328000-memory.dmp

Filesize
44KB

Download
memory/2092-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2092-131-0x000000007331D000-0x0000000073328000-memory.dmp

Filesize
44KB

Download
memory/2468-3-0x00000000005F0000-0x0000000000660000-memory.dmp

Filesize
448KB

Download
memory/2468-2-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2468-0-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/2468-1-0x000000001A640000-0x000000001A730000-memory.dmp

Filesize
960KB

Download
memory/2468-130-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing