cc609cbaf5baced81b2518c0f2f5d1bbb4c52edbf23bc6ef92892975e78cf1be

General

Target

Y O U - H A V E - W O N - A - E S S E N T I A L S - O U T D O O R - B O X !!! #lRo.msg
Size

383KB
MD5

5818910a8a5ee1b37c5aa394ac4ac701
SHA1

4956a686afbf3844a3d57096819de7c77b53813b
SHA256

cc609cbaf5baced81b2518c0f2f5d1bbb4c52edbf23bc6ef92892975e78cf1be
SHA512

986ff678d771243d1b194a4e5dc7f2bb95c7a34f01ef9f6bf74baedfe2bddf55cc02147b4865987a9710658d531a49a51866be4f04abb1e4c9c900face35c097
SSDEEP

6144:XsTlp45GQPEdMxropFr3oHm6X3e7NSPdZkppChroA3Y28rb:Xsc4ZIrw3oTe7NSvkppwar

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2548	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE
2548	OUTLOOK.EXE

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Y O U - H A V E - W O N - A - E S S E N T I A L S - O U T D O O R - B O X !!! #lRo.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
aafbdb3cdd840933459d4e682b40118f

SHA1
a57647da0fffd75813c573376af4edc350bfdce1

SHA256
b3ce293aab6ada2c701a75c5a546a7cfafc6d13b006d535fbd6c72ef934349fc

SHA512
e3bd1b204e0e56c96c994f39ccf975913aa3e937e7b26662281bfa09b55168a480f40c39a4e57f7e4f4f1acdad5b5078d0e032ec35501bf3072c572ed953255b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
79ab27424457ed82250b902b383c6ddc

SHA1
f274984dfde45b9e49963269fe4fc67ed47e9abd

SHA256
591907fbf8b216187ff36a3afaed3a66d5ff2dd20ad05c2f1a63736aa30853ee

SHA512
9b806c88552318d8ac90479e4bf10f8f0c07ac51674d1cab26b9ce3cb931f28826be1acc1740b9aef13b3b542659ff58cfab175c0ae5cfff25b1c01866298e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
9a84a28e3473020f6cf14c99b07ce0c4

SHA1
cfab50859abc54df75a1303c68c4db22e60a28ea

SHA256
db72033fba7db2460e15891c328c1101752e044e2ff686fa2ad67d50a524b65f

SHA512
c4ebbb9bedba39b87e6a2bb3b5c5354e63d1837e8f8bedfbf7a19c67104426ec11cf4161ef33fe70481fda4842c1c59cb9a157a49d094c9d24cb13e1414611ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
904f67e1ae17c82d0f116f4cd44cdcfc

SHA1
096917e2ab5b866b1f3e8e04dc426b8c371789f0

SHA256
802b857b338cbbffe539251212b310d2a09e2f10feebd83bab4d638a39472b71

SHA512
bc465c428a2ae07a7ae182188129c98d6e17d5a17c2554078f6923ea12fc01003551cfe44e6f734cd84591541b1881ea2024db0c860925904842d424570b66fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2548-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-1-0x000000007414D000-0x0000000074158000-memory.dmp

Filesize
44KB

Download
memory/2548-164-0x000000006B5D1000-0x000000006B5D2000-memory.dmp

Filesize
4KB

Download
memory/2548-179-0x000000007414D000-0x0000000074158000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing