d8cfa5a0ddbf5483a170f0a66b6579ddb1cac3e50cb784ea2db0a2d91717abc8

General

Target

Фишинг.7z
Size

1.2MB
MD5

e89282e50114f22c3a9a3de526099b4e
SHA1

cabdf997a61ae4bda523bdea6f950731f9d427c9
SHA256

d8cfa5a0ddbf5483a170f0a66b6579ddb1cac3e50cb784ea2db0a2d91717abc8
SHA512

d5ed27873ed7404b3aed501918e384d5ee728b94238fc7f8029f8cb079195c03d1109c91aa433a9ea09fc36fa39f3af7899a45e2f8cc475c2e80ea604268561a
SSDEEP

24576:pt7nnaWxsKo8OgkD8NzHE8lSXFUBkwbP73rwzYQujRCQc3pGP4jhcZxhIf6tIODy:TaWKHEkgzHE8wXE3P73XfjRgGP4FctIr

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2568	OUTLOOK.EXE
1684	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2468	7zFM.exe
2468	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	7zFM.exe
Token: 35	2468	7zFM.exe
Token: SeSecurityPrivilege	2468	7zFM.exe
Token: SeSecurityPrivilege	2468	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2468	7zFM.exe
2468	7zFM.exe
2468	7zFM.exe
2468	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	OUTLOOK.EXE
1684	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2468	1580	cmd.exe	29
PID 1580 wrote to memory of 2468	1580	cmd.exe	29
PID 1580 wrote to memory of 2468	1580	cmd.exe	29
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 2568	2468	7zFM.exe	30
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31
PID 2468 wrote to memory of 1684	2468	7zFM.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Фишинг.7z
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Фишинг.7z"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\7zO4A9B5776\просмотреть вложение квитанции об оплате2.msg"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2568
- - C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\7zO4A9AD7B6\просмотреть вложение квитанции об оплате2.msg"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A9B5776\просмотреть вложение квитанции об оплате2.msg

Filesize
1.4MB

MD5
038c1b91b95574699e6e1bd842b9f303

SHA1
53de016ca5268b2c3ee1e77b2b4dce98d10c9f86

SHA256
ed6584f476cbf9780aa4031168fa512373a5fc81026a08b7066391d7f25670cc

SHA512
abdcaf4137ea5d9a2b04295a25e0fe320c7b4f332077866e1266292426e6d3216412de10a6ed011f6836793d2fe82cdc746b1e4dc365579fe17b920389678a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\outlook logging\firstrun.log

Filesize
50B

MD5
cef355652fafe6461e322ff6840fe92b

SHA1
5366b9aa6ae8a8658f47c6fa3a1a760c1452e3c2

SHA256
997af8e3badf588722974c2f2274a168c85664ab0fe8b35a6dff5ddf2b97fbee

SHA512
d93fd2654b4c9880b65a69f7822f5d3963acac687c50bbdd9ae9fcfd3c4986ae9a7ee20f500928dbe824788a331f710c2fb4504bf5b5007e194f83462921be34

Download Submit
memory/1684-162-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2568-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2568-158-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing