ddf0e277fe57779b5afcd54250f583e6e3749b13a0afab9f24d761d2969a9eff

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d789879fb4a6c42171f2cb73a8d85d094629eea7ae02f74d55263403b6358ef9.eml
Size

866KB
MD5

88c77cc2e6e9d9f6deb1f001910d4c2b
SHA1

0f6fdcef13a6b1bc7f32598ee6e18693fd5566f6
SHA256

185a044604b0a636b9da7f2406bfd4524df50287bcf694ed0b085770e5cbdad2
SHA512

ce8c3add88bec211a1a977bdd1076690f58f18514f57d3ae7cae56680c4abe16e647b9f8019a246d1f6a29d5adaa18253aac6382469a3a493e0206ac1cffbae7
SSDEEP

24576:p4LWPLhm22nJC1La+XBcnXWRcR3v6QB6IXNq:pm85mWiv6Hz

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2960	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2960	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\d789879fb4a6c42171f2cb73a8d85d094629eea7ae02f74d55263403b6358ef9.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
e3bc0f38499e378be13f92ea30e2706f

SHA1
405f9d5dd6eefc4cd1c342cddcd51d5a8d77c993

SHA256
453d29cf3be7e8c8fad0db3d7ce12ecad48b77acf4c38858f4442e6637c514e0

SHA512
92dfe35c48110906fb3894879f1cb205d9bfae4c29bd36f187e483a5283f5928d1a554c5a234d9477fe507669f458ec371723bbc91c8fc04268d61422dc7d805

Download Submit
memory/2960-1-0x00000000733BD000-0x00000000733C8000-memory.dmp

Filesize
44KB

Download
memory/2960-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download