Analysis Overview
SHA256
243c6a1bfa47089b44ea156ea7a6f2f9e832c1a8d33784f6db475b212d5427ed
Threat Level: Likely benign
The file Secure RE RE Account #8521 Dudum Rishwain Dental Group Inc - Sweeps.msg was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 15:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 15:56
Reported
2024-06-03 15:57
Platform
win10v2004-20240426-en
Max time kernel
13s
Max time network
16s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Secure RE RE Account #8521 Dudum Rishwain Dental Group Inc - Sweeps.msg"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 15:56
Reported
2024-06-03 15:57
Platform
win7-20240221-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Drops file in System32 directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\Outlook\outlperf.h | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| File opened for modification | C:\Windows\inf\Outlook\outlperf.h | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| File created | C:\Windows\inf\Outlook\0009\outlperf.ini | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Secure RE RE Account #8521 Dudum Rishwain Dental Group Inc - Sweeps.msg"
Network
Files
memory/2872-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2872-1-0x000000007352D000-0x0000000073538000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | 8003bdd595eb94cca999287c0f668b74 |
| SHA1 | 4bda55383c9dfbadfff130e8ab4dbeacf571c51a |
| SHA256 | 1f7ccddad2bb9a62947140d07fa3d8fda81b25ceee073f383112017c0feb828d |
| SHA512 | b7b9426f5fc7ee022000e4af4bd46aaab942e3dac36bc133b15a197a3ddd2b72a5df0807e5c3c594b5205a82f8822181b6384df7781f17bfeecc239c5bfb3f8a |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | d63ecdf9f08ab6de4fc34f34a244b97b |
| SHA1 | 7b62ca5e0a439a48ca5994cc32e0f3e03a46afee |
| SHA256 | a78dff240b42c005996de02c1c9e4eff850868fc0e1ed703bf61180482016fa0 |
| SHA512 | f110f5db682b671db5331905b773afe9d80d5ddbee78a37874b571056e8e951d3b9a81ddf1bb6897a3ba36b15184843ecabc0541e4e7072145489495e0e5bd04 |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | f104a5c3e8d4cee61de96ac9cd833331 |
| SHA1 | 7d5d9f7c039336a7a47b9875f880cffe6dd5cadc |
| SHA256 | eff0eb5145e23a6d0edee605fe9b09dbf354774a886957b20dc403ff364f67d8 |
| SHA512 | bc407a70ad01621e2589c1ccff92bcced55ead953abe16949cbcd1788435bbd2d45b09c9e4ebd2a862d3ae108bd53ac1b7600199d7f755634d34aebd47068699 |
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
| MD5 | f9dfb7e2c9e5917f907b0c60ce179eb3 |
| SHA1 | ce8d7a3ee77a75dbf163fe076c2f140be0943ba1 |
| SHA256 | 3bbeccb9dc1961991d867fb403db7a1469d1934e97e3bc92a7d9bc7378000780 |
| SHA512 | eac9e7378397d5c7b6832ae4db7b1693348ab17b385a29616b6f23f8cd79cdafb3912a2264775bbf28cec35d8fb0b99c9a880f9f69c5eaee5cf24c8ff8cd55fd |
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
| MD5 | 48dd6cae43ce26b992c35799fcd76898 |
| SHA1 | 8e600544df0250da7d634599ce6ee50da11c0355 |
| SHA256 | 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a |
| SHA512 | c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31 |
memory/2872-132-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2872-134-0x000000007352D000-0x0000000073538000-memory.dmp