fe86890c61c00bc5eeeda0d4c9038a432dc99200b8142f65001cc6a0fc730ef2

Analysis

max time kernel
87s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fwd GPVTI COMUNICACIÓN PROCESO SANCIONATRORIO GPVTI - JEP - UIA.eml
Size

640KB
MD5

6697a94cdb76bd1e466c08e5f5b858e3
SHA1

ee4743081673718f981c63f20cd39993ae95b212
SHA256

fe86890c61c00bc5eeeda0d4c9038a432dc99200b8142f65001cc6a0fc730ef2
SHA512

31913926ec414f7896cdd5af4963c39cd6def8c34c6485e1b21c57a43a005e4915253b78b3725ebaead52959558f4e9c58ab5cfa09f2d3a5a233c12d6e055c4b
SSDEEP

12288:ilHolHoO22nWC4OxOL7ljWfTmvYnL64ZTrFPhEHyQ5aKqJDpJmxncBoyk:ilHgH32trOxUadnTZ/thV17tJma8

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

OUTLOOK.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OUTLOOK.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1356 OUTLOOK.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1356 OUTLOOK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

pid	process
1356	OUTLOOK.EXE

pid	process
1356	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\Fwd GPVTI COMUNICACIÓN PROCESO SANCIONATRORIO GPVTI - JEP - UIA.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
a030e16c7ee04487fe00c81f7b06a533

SHA1
8363a7a6645c79530dfc11d5a8a0ae6308bc739d

SHA256
a6e7d44c1dee37a5d16f64aa46c4f731214ccceae0995b8469e4b8e0dd476bb8

SHA512
01fa3fa8f9a2f47eaf1d674c4fbac64552370d76ff42ca5677d15be37ebb0c884c6799dd47197137c30ad557bf094c16014d64af70dd6cedb29635952e0c8827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
04b316e148eba762f1f2a07977deee9e

SHA1
a9873bc31188729c452352906f3a6a367c63aaab

SHA256
4ddefa2bd4bd6a844895a0828e46b2faf27d33e0bbe86e993a671f0bb8342dae

SHA512
42a7e4f26a4d472afd1216b4a289d17663384b5e20771d2273bf8b6214e937e0f1809b917fe6a37e60a2f81e5c752c35b4b360e36df6beb831984b6aad40c5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/1356-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1356-1-0x00000000739BD000-0x00000000739C8000-memory.dmp

Filesize
44KB

Download