87c77b9aa2340d1597278461facf02931791bc1b368d4f2ca1d59fe55794e700

Analysis

max time kernel
837s
max time network
845s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Data/Config/msg_30.eml
Size

345B
MD5

c045ee85a52d1967d69de8a9614085bd
SHA1

da33f4f914ef2abb8871a2edca2814df2c40043d
SHA256

c35da53f1c5bf7639417aecde7052db57700828fcff4600a81751ae13bac03a8
SHA512

2f491e5ab0ffa3a3056042f8f5175934807683a01bff476c3e2b6560d455ad24ceaebf20e462baadb2b8211883e449af15ccf4dc6c11182b29fc8dec014d4cc9

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1668	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1668	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\Data\Config\msg_30.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
5d662e436c3502e2063d6c77f5e3c633

SHA1
34e81daa49d014e48d67ede430b08ce06ab240d1

SHA256
80e2cee41accc4deccbce94f2b1179cf1a7a4fea63ef24d086e585e4d8b6d391

SHA512
7746dafa76c7cabb8c5eeaab1cf93701e56ef4d534aca4f6df20a3d14e8189e40c7f3bbdd6b6a52f4b77d291ca81c023faa43c480ef4e1c4ef2174fd6491674a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
9892f7e2f4d3e18f615edcd542cedc1f

SHA1
8fa00ae6142842f5e6595b982ad39ad4f55432f4

SHA256
cf34e6eedcef66949b5ec707f63ed7ed8ca46ba809cd3af5485e38f37404865d

SHA512
ccaab0e12665d6d049f34008a7f18e7c95115113a9c85fe1be4a9820898e0f03c0b3a0631f4a5f63ae4f97172f1042c59320a9801f453a32d31244647e5e4980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
8b7ee82d8c395441573ae6363ba52124

SHA1
4ad75024f936b3a500dd2a6978ed4695b7ce77d0

SHA256
e03f6152e5067d1e5fb1df76614b9a8d76505a497e1da06cc77d34edfe420443

SHA512
eb1ba7729003be345b71d3aaf54c7094830493a50951e18b29dc07e07122c07172398a8c45aa773823a1ef4c708f8eb41c5aaf7aa7d116650ba4f6ae1ddb59ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
c43efd15dfb0202d40dd777a75930908

SHA1
9af1e66082381a0c85eb544e0b1bafe98e6e8297

SHA256
07064615888abf1a10e9452731c5ac1d1c6dd3ee628e3fffef12d729f42c1042

SHA512
f42a2c0426ab78569a13dd8b3c4f53806c5dfaae63651c839ad84bc624e0de899f4512e89757873444cc43dbd20d94c5a6bb5a35e8ad6d01d33733bfd2fe41bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/1668-1-0x000000007368D000-0x0000000073698000-memory.dmp

Filesize
44KB

Download
memory/1668-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1668-124-0x000000007368D000-0x0000000073698000-memory.dmp

Filesize
44KB

Download