b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
31s
max time network
41s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 22:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Worm/Blaster/SANS_ Malware FAQ_ What is W32_Blaster worm_.eml
Size

432KB
MD5

50a0ceff0b8383aefb4d8e50723af084
SHA1

f2f41eb01853a96ba3d85001948a8a93d1e681eb
SHA256

84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5
SHA512

4c493319d9e2b6b087590a2a46c5f0d50bd9b587b8b26034f943e9b5b4bb14c4cd96ed705fd1d62917a8c83a4a79caa79fb8a127658faeeda309569db6a3ae54
SSDEEP

6144:cQJvSJ6lq6yuGkSdgiaXulosdmpmdGdjI6uUD8ZN9Dts0n5gMQIn0j0HQDM/UH:Z4kSdRzWzpgGRIGM3WC5p2IG

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2644	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Blaster\SANS_ Malware FAQ_ What is W32_Blaster worm_.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2204

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
962b79ab962bc467edd89eedada9e127

SHA1
7533603e3f80039d017fd685006172e598ae4168

SHA256
6497e19381d03062c94c75317dc40a89b3aea5242c374847c450d3e7270fde69

SHA512
31164eae1138629900eaf5d206cb0f7850dbf4061aa036c8ac09719699b59b4397ee2f79dd092b3041cd7d4cdb3c8d2ed2ab5b64b6b1a0ad2cc8aa854d2a3584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
576B

MD5
d85655216b438b43a0de3e721357e7ae

SHA1
79f34b586af9a2d40942e06eac420fb6d5d122d7

SHA256
af8dc290dedc15d78122af80d4c45ba496670b3d6bfef24285b156aa54d580ea

SHA512
9a4070d75581d30e1d218ab8d56a4f52f5f8b6ce209d16474c9ae2ba8c939f60c7c31cafbd400fb9055ebe6c30760c4bb2361bf657b95192690c8b65250cad56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2204-129-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x00000000733BD000-0x00000000733C8000-memory.dmp

Filesize
44KB

Download
memory/2644-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2644-124-0x00000000733BD000-0x00000000733C8000-memory.dmp

Filesize
44KB

Download