a1ab2444e344b62b37054748a0b1355f0c5e48bd710f2628ebaedcb178292970

Resubmissions

22/08/2024, 02:35

240822-c2575svalf 4

22/08/2024, 02:31

240822-czs5ssxgpn 5

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PHISHING EMAIL SCAM ALERT - Midea 2024.pdf
Size

389KB
MD5

00cd3cf63c441547a5db94f99b53087a
SHA1

e8f679f644a53773adedb049a7d5f6024b3b52c8
SHA256

a1ab2444e344b62b37054748a0b1355f0c5e48bd710f2628ebaedcb178292970
SHA512

b45dda676009257eb3f97ea3773fa3921869b7438e7aabee72bac236f3d6dfa2efc5cde5f0ecfb2a9c23576d2dd9304b5f0c16f3e32050b4c9309f05ed3036f2
SSDEEP

12288:edMznsHW8PsYHZtcBJmRgl5h60xs+FGyG5rez:edQ2yJugZ6nF3sz

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1676	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe
2680	AcroRd32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31
PID 2680 wrote to memory of 1676	2680	AcroRd32.exe	31

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PHISHING EMAIL SCAM ALERT - Midea 2024.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]@[email protected]"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
a3beeb7d54931460e7064250f1040b51

SHA1
80c283e70d0bdca1afe76db33af91657d4f6718f

SHA256
8ce385c03a374824efc2427e0e2b9671d8f42f4625b8ea85897ce81bf88c4b2c

SHA512
ad060981d087fbe54a07fcf855d3120dc3664bc0b4e0e551cb3a065a80d86d7146ca93cf4bfc7d44c77f741ffd4e5abe1c2190705f98bd048dd6155dda3213ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Security\addressbook.acrodata

Filesize
5KB

MD5
4618312ec50b52c81043bb6ff393cfc3

SHA1
80537497d939529b34de993b14d96510068bf075

SHA256
e8e27396e2a043abd283eed4fd5b8fa256cc22e741defd522158fc9e29205839

SHA512
fc589a974f35ee83c297784c7d7cc62826854422ceec2d5ff46aa6575f5b2bade27d26c1dfc0686602c81e5c14f75f7abd23e6c19fd90a2dbe70e0f5c09251e9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7672eb6350d3ed27fc66d1d02f07aeff

SHA1
7dc64766e38d00984644d880e53dfbe638f1a8b1

SHA256
8bc862db7da5c258270d34e998226f121353ff191487ef9b37adfe31e80d29d0

SHA512
3c077b2c4af339c32ea8c9844f328f56a64271cb687d57e1b0acb97abcfb4a047de69084bbee3d933a5eaef5f0942e2beeeb2125a73a641760864603cdc03ef1

Download Submit
memory/1676-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1676-212-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2680-0-0x0000000002BF0000-0x0000000002C66000-memory.dmp

Filesize
472KB

Download