3afdbc498c2cfe9429ec26cd5756ef3cef6d06fb71482cb970a08394bcb57051

Resubmissions

23/05/2024, 07:36

240523-jfftpahf8y 5

23/05/2024, 07:33

240523-jdhv9shf4w 5

23/05/2024, 07:29

240523-jbeqtshd97 5

Analysis

max time kernel
148s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 07:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Unlock the Krishna-Arjuna reference in Brand World.eml
Size

45KB
MD5

99282bb7816801ee21bc6a2e30cae1bd
SHA1

fc72d05f2c0217f521f40a5dc25403b3bb591771
SHA256

3afdbc498c2cfe9429ec26cd5756ef3cef6d06fb71482cb970a08394bcb57051
SHA512

519926ce075bf13c5ef6edb3239cd7346689d7508c4cca01cef2ed1f4bdf4197276dc9549b26bb48addf8a37e23598dc5fcf717de2685186a7a5d16394c532ac
SSDEEP

768:6lU1MGzO+eCQKPMx9pj6CUHHtqIAV3/FPFgigX3gygx0zxgdg9AgjgPSgZgdyagO:6lUWKkx9pj6CUtqIAVdPFgigX3gygxa3

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2984	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1912	msconfig.exe
1912	msconfig.exe

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\Unlock the Krishna-Arjuna reference in Brand World.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
PID:2984

C:\Windows\system32\msconfig.exe
"C:\Windows\system32\msconfig.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
5ff3c3819a2a43fa9ca928bcabae46b8

SHA1
8c2c2d0818a1a23855e2c3ac4ef5d60d68668087

SHA256
ea02ec3c3deadd41c61fa6a8c0e48ea299709149f23ff9dbaa59ce4a0aaba68f

SHA512
749447c31927b1b986d5e5e565cc3b7819db83b58df0a6e0dc6bd1c4a30239a65ce335887d171450710c4194d0e9c2285a063f8f48745b2111c814cf775d3e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2984-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2984-1-0x000000007338D000-0x0000000073398000-memory.dmp

Filesize
44KB

Download
memory/2984-124-0x000000007338D000-0x0000000073398000-memory.dmp

Filesize
44KB

Download
memory/2984-125-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2984-126-0x000000007338D000-0x0000000073398000-memory.dmp

Filesize
44KB

Download