307b5ca0f17435e56b2abf0c55b09905a6a512f8044ed0688b4b3eb83b8dd9b7

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 19:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

_6EHIP7ZNS8q0SZtmQxDjug@geopod-ismtpd-2_.eml
Size

40KB
MD5

833135ea7ad5da9c410787d0f706e7e3
SHA1

118726cc547500481f51019a8630a57bd9db7cb2
SHA256

307b5ca0f17435e56b2abf0c55b09905a6a512f8044ed0688b4b3eb83b8dd9b7
SHA512

552540ddf13a2a3fb1c2c7d04b574068b786044c5800135bcbb7f1a41e793fe0be7048841ead2ed8136fc85ddb572d22281aa493a88fdb0fd4fdd9d9a49467eb
SSDEEP

768:q/1+LX1RJr6SlE9l68fXXpcLn8fXXbE1KXSl6r:q/10HA5zr

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2768	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2768	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\_6EHIP7ZNS8q0SZtmQxDjug@geopod-ismtpd-2_.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
225KB

MD5
5f28361a730ff0c3db576def332c0b7d

SHA1
8f0b3a97fe26316a13c7afa3e0f5a6cb7bbbcdac

SHA256
6236a3320c48aa02879b490b6b9490a4047541285ee6bfe7d9092bd60063ad31

SHA512
799b4ed32e2e808dc8d5358ff9c1614ce416abaf97c82f13e3e83824c237a7791b12b6e219644070f722b80d3c00055393dedd3ba42b069201657ec1c5c14205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2768-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-1-0x00000000736BD000-0x00000000736C8000-memory.dmp

Filesize
44KB

Download
memory/2768-132-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-134-0x00000000736BD000-0x00000000736C8000-memory.dmp

Filesize
44KB

Download