Overview
overview
10Static
static
10The-MALWAR...ot.exe
windows7-x64
10The-MALWAR...ll.exe
windows7-x64
10The-MALWAR...BS.exe
windows7-x64
10The-MALWAR...in.exe
windows7-x64
7The-MALWAR....A.exe
windows7-x64
7The-MALWAR....A.exe
windows7-x64
10The-MALWAR....A.dll
windows7-x64
7The-MALWAR...r.xlsm
windows7-x64
10The-MALWAR...36c859
windows7-x64
1The-MALWAR...caa742
windows7-x64
1The-MALWAR...c1a732
windows7-x64
1The-MALWAR...57c046
windows7-x64
1The-MALWAR...4cde86
windows7-x64
1The-MALWAR...460a01
windows7-x64
1The-MALWAR...ece0c5
windows7-x64
1The-MALWAR...257619
windows7-x64
1The-MALWAR...fbcc59
windows7-x64
1The-MALWAR...54f69c
windows7-x64
1The-MALWAR...d539a6
windows7-x64
1The-MALWAR...4996dd
windows7-x64
1The-MALWAR...8232d5
windows7-x64
1The-MALWAR...66b948
windows7-x64
1The-MALWAR...f9db86
windows7-x64
1The-MALWAR...ea2485
windows7-x64
1The-MALWAR...us.exe
windows7-x64
6The-MALWAR....a.exe
windows7-x64
3The-MALWAR....a.exe
windows7-x64
7The-MALWAR...ok.exe
windows7-x64
10The-MALWAR...y.html
windows7-x64
3The-MALWAR...ft.exe
windows7-x64
4The-MALWAR...en.exe
windows7-x64
6The-MALWAR...min.js
windows7-x64
3Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/02/2025, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Banking-Malware/DanaBot.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Dridex.JhiSharp.dll.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexDroppedVBS.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/DridexLoader.bin.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Banking-Malware/Zloader.xlsm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Email-Worm/Amus.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Email-Worm/BubbleBoy.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/Email-Worm/Emin.js
Resource
win7-20240903-en
windows7-x64
General
-
Target
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
-
Size
11KB
-
MD5
0fbf8022619ba56c545b20d172bf3b87
-
SHA1
752e5ce51f0cf9192b8fa1d28a7663b46e3577ff
-
SHA256
4ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74
-
SHA512
e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb
-
SSDEEP
192:33K8Vn5fAIBkPA9tQdEnhAv+mKqh1RwE9gCOMv8eIry2aZoa5qq/:33X54IB8SCY2W3qmSgaIrTDSqq/
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.a.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.a.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.a.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.a.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.a.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.a.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.a.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.a.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OUTLOOK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.a.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\ = "ExplorerEvents_10" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ = "_OutlookBarPane" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ = "_DocumentItem" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ = "OlkOptionButtonEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ = "_NavigationModules" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ = "_FromRssFeedRuleCondition" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\ = "_AssignToCategoryRuleAction" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ = "_OlkOptionButton" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ = "Attachment" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ = "_Table" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ = "_Column" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ = "_ExchangeUser" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ = "_ViewFields" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046} OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3056 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe 688 Axam.a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3056 OUTLOOK.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3056 OUTLOOK.EXE 3056 OUTLOOK.EXE 3056 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3056 OUTLOOK.EXE 3056 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 688 Axam.a.exe 3056 OUTLOOK.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:688
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5fdd6f14477346401e681eafb922d077e
SHA11b03b8de5603cea576ee5c761ac307df39008a9e
SHA256bccd743f456f625ac3b43c89d331419cfdcd63fe2f6ed8dd30d54947cf632302
SHA512d4f97a3147ccc379f5c9fd5710ba0889efd7aa9480988d1a906a202e4f2e08d749163bee9e5ed80da77aa06af41891440ed406bd9e79cacb01008bb5a8cb5d37
-
Filesize
240KB
MD5e5966e1802f988efb08504b17b2b79e2
SHA13d8997b7461b5986aa1911e2afe91562ea0611f2
SHA2565c3052e76a93c603576b5243585c8af6c90693e6d6615de1c3b62e4885777a75
SHA5123205183230514ba28bfee3beccdad6b5d5a6dbaa1698cee387bcef1e2601cee36a08337a76f18cd185f623282f6939c32439bc13f6736dc27b114430d973d075
-
Filesize
240KB
MD5f7193056a9722561256c60b1ba0e5178
SHA12ab0c6e044edd9aceb8768197cf14280b1c5bddf
SHA256a5c3dcc73ae9c971a411674490e6ca18f4912893879816aea90f8fc63ff9187e
SHA512d42e53ff3129cd40d382c665c3ae8be8fe3bc71e710f02058c6fe633c161b4e110be3f1691ac9ddcb97688a2ceac664e32a033b5451f39f66ec63b7ad5b13523
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
11KB
MD50fbf8022619ba56c545b20d172bf3b87
SHA1752e5ce51f0cf9192b8fa1d28a7663b46e3577ff
SHA2564ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74
SHA512e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb