ddf0e277fe57779b5afcd54250f583e6e3749b13a0afab9f24d761d2969a9eff

General

Target

Envio de documento OC016 PAGO192025.Pdf-password(2Qo0Qsm6).zip
Size

867KB
MD5

eaccce8a63a1cdccd71b6efc8091a339
SHA1

cc9f3f48979e3ee61f1a7a1e94b25d07fe1ed562
SHA256

ddf0e277fe57779b5afcd54250f583e6e3749b13a0afab9f24d761d2969a9eff
SHA512

9a848b59ca9d72810c1c5864a77acb7666a3c497c2d8072216abc4b3adb980360ef179fc4ce29b51449ffee30af33146f7fd6340cc71876c10562fb679b745d9
SSDEEP

12288:fmY9JB+AAxC6IkynCeuXCWy/eVV2SbqahdwtyOyYBufkQZqTzxX20ICiRznqL:fPr41pIkXraeekqaIXufkQwTB22QrY

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2980	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2200	7zFM.exe
2980	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2200	7zFM.exe
Token: 35	2200	7zFM.exe
Token: SeSecurityPrivilege	2200	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2200	7zFM.exe
2200	7zFM.exe
2200	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2980	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30
PID 2200 wrote to memory of 2980	2200	7zFM.exe	30

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Envio de documento OC016 PAGO192025.Pdf-password(2Qo0Qsm6).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2200
- C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\Admin\AppData\Local\Temp\7zO8985DE18\d789879fb4a6c42171f2cb73a8d85d094629eea7ae02f74d55263403b6358ef9.eml"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
bcbaf2db07e2480ca5e059d16a7cb29c

SHA1
9d13cf51ca22e16f05da868dc8f2d73b15bf8830

SHA256
45b12878ff4af726e255999f24b713b253bec26e805061b1f0fe4e79b3796f0e

SHA512
148f3acf90d145873c255baaab2ddbfd5441cc67c5360d8641ef731fa4b2a9c08d70ad84d53ab93d21cda7fb645e2a4658e7eab2a2a6085b688330171592165e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
7e0cef19f6d70e92251da7071ba69ad6

SHA1
b0d748baed3617b56614c16d8c24447bd5679074

SHA256
9660d08d4c42b24af7c4cfe788503a433967c639757f30fc42a66405a8c6e7d7

SHA512
abe417284fc4ea79b36ea5809d2346910952e8a80a346e71f11473736759707dbd92f3e527e9c90cf3a8f6b987eae8bfcb940312800a028b1e53939726ad55e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2980-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing