Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
5Static
static
1ForwardedMessage.eml
windows7-x64
5ForwardedMessage.eml
windows10-2004-x64
3030 -CITAC...ar.svg
windows7-x64
1030 -CITAC...ar.svg
windows10-2004-x64
1email-html-2.txt
windows7-x64
1email-html-2.txt
windows10-2004-x64
1email-plain-1.txt
windows7-x64
1email-plain-1.txt
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24/05/2024, 14:46
Static task
static1
Behavioral task
behavioral1
Sample
ForwardedMessage.eml
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
ForwardedMessage.eml
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
030 -CITACION_DEMANDA_EN_SU_CONTRA_JUZGADO_008_CIVIL_DEL_CIRCUITO.rar.svg
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
030 -CITACION_DEMANDA_EN_SU_CONTRA_JUZGADO_008_CIVIL_DEL_CIRCUITO.rar.svg
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
email-html-2.txt
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
email-html-2.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
email-plain-1.txt
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
email-plain-1.txt
Resource
win10v2004-20240226-en
General
-
Target
ForwardedMessage.eml
-
Size
299KB
-
MD5
9853f0d353200237d8fada1affe0a7a9
-
SHA1
198d7ff37fe4b584acefc2ba5abccdc81ea6ac7e
-
SHA256
79abbda9d182f7a710bf6365bfc4ed50fc7669c7840c9593c8d663a6d059db06
-
SHA512
89cd7db70587b16927ef36c9b8e8e26913ddad3825a1b2c57fc7002c0d3e9038ebc6820c91ab23719ad8a3b5d9e7c5975f855fbc633a99216119baf4fda0a802
-
SSDEEP
1536:xPXbOrvLPqsohfWcT2kvFxhR1WRFxsYOEvAvBhg9qDFe+emfjr9i7nU0I1GsoIWM:xPX2vLDJ6YQj8UlJ4DS
Malware Config
Signatures
-
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3024 OUTLOOK.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3024 OUTLOOK.EXE
Processes
-
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXEC:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ForwardedMessage.eml"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD52c015385399d909cdf2f4cb4a8caceb4
SHA129e6358c93d8f8948bfed3d92ab5ed25048c9fa1
SHA256b2239381139be8229dfdae07fae60298125f283cb3bfcffd2b3c710cc8f65019
SHA5121bb375af24ece4e745dbbc9613ea50a67eb62aec4d28ca03db36d94a5fc8613aaf57670078de6f91958b0d033fdc32dc924115b94464012b8b1441cbd64c725b
-
Filesize
240KB
MD56af62ed172bda68300b7786c6c000943
SHA154c5509aedbb316636beebc0e216272b52ed7dfb
SHA256f1510028385b426cfbc586dcb7840396becd4f1938095c42fa2661d5511452fc
SHA512619ce52af6d3c2910a9eb10f48f531e068b742497737c771b4aa16a2a81f556bdf7b6c89089060af1c9692b6c501982743f1d3cc4fe5e4935d8e1d54d98fc98e
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31