Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 13:18

General

  • Target

    e6b82e1c-ac44-4023-8042-08dca5e19c90/4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml

  • Size

    1023KB

  • MD5

    ac5c17e87832592ff53c4a53a169860f

  • SHA1

    fe18b12abfc07caf7f782db3aeacd8037eed3642

  • SHA256

    b112d3e0777a406d0703a4e0ad3c6028431a842adb50fe71fe94fa3ea0b61c29

  • SHA512

    8827a63ed2d7d521974028e65b8885eb310a6071fb13e5c207b639b957ff02619051d8cc420035e4dbbd17ca862a042dd4cad357a3581ae577d939dc41b342a7

  • SSDEEP

    12288:ExmZbBpsi8noZjbg9Hu8jwzLoDp3m6cSQ/Brkv+hruCJ4AQbSEbUlwVZKn3rYK9W:XbBK8jAJwzA3mBSQJrkwWcloK3G8Cc2

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
    C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\e6b82e1c-ac44-4023-8042-08dca5e19c90\4a7406b5-aea0-3461-afa2-c5f3f9b9a06d.eml"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:292
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:884
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Solicitud de Pedido SP N° 17850_16 07 2024 Soboce S.A_PDF.001
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    240KB

    MD5

    49bc31f757825ae32e6b41d3f489ccf3

    SHA1

    9529cced2fa99715025dc5f3bd361a3e98f48f5a

    SHA256

    111a1d7c60462e94fb25d31348810a6526a3b1c5944643144a59a5eecf44dd38

    SHA512

    cdf80ff6fd3891c2aafa1040a4bbbf06004224c08994b728809b7636939085011e21db73861501216df737cec5980cb2be8f250185a3385df8117e94fd895c4e

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CW1RBX3V\Solicitud de Pedido SP N 17850_16 07 2024 Soboce S A_PDF.001

    Filesize

    714KB

    MD5

    325b88a0301801c9e04590d2514f6a8e

    SHA1

    79203bbe463d36eb199c2b97732ba638b5764780

    SHA256

    81f6ee45019c48d23ac3265a1ba120d0b34a74e7a51ae3d1c5cecea4db88fe8b

    SHA512

    32163a4ff580ee3ed1f43ba1990e8688cedd5b44c93ca7de138d6fe69eaaacd6712a3c19c260f692ab964db7677f5d8d79c5171785a4fbd7d15e8d6621b69621

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    db5cf5a97cae67290159ede83c406696

    SHA1

    a569eda52b60d833bcc07c7d1b8712f2c64bde21

    SHA256

    feeac753e30e3adabee64fd0cdc60a6f360615ba4d704ad82169278ce6fa7362

    SHA512

    c4245ffdb94f438aba6ae8c80046b454e3e0250f310ddf681191ef1a270c6fabf84eb58925d9c8fde8396231a0d2ccc5822363dc1e78ef1ea62714b721cc2631

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    2857d0a28331b14efe9f488bef8e2719

    SHA1

    6b0188421f2a3cc135dea90a9ac500bab1ea8195

    SHA256

    6ffbc6db9e7f2e69645dcff186e70951310e8a5d7feaeb1010c93f5f5335a081

    SHA512

    ad9aa8569d4eb35a0014f6b8af128e7363bd083d967da01eab6de07cabd4df06ad1de1f4ca32272ae5b3aec9d741a775bfee4eeaef7d1b9c6bcf1a7f8d80697d

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    5a5b41d6ae5188f46391120f506ceb8e

    SHA1

    80fa785250f0d8691dc6d43bfb2822382da3335d

    SHA256

    36c5e6557b2c4ff138d66da3a883bc192a1c4716faf87dc1c8c9329995c0a127

    SHA512

    c15a7a2f517632b4e95fe8b07fa041b572c34be640a384df7f2cf55f419022d7e26ef9336f56cd5af3d89934745da37264137c4bdf0e821651de25d2831c4318

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/2064-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2064-1-0x000000007409D000-0x00000000740A8000-memory.dmp

    Filesize

    44KB