485939cbff47d7081e327309295f67ccb9be619ae72d8334c13157b9ccdf7a00

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phish_alert_sp2_2.0.0.0 (9).eml
Size

48KB
MD5

394004d3066daf77aecbfc4aac53cd49
SHA1

96bb9ae985e12d2eda71b53839741af1aa851745
SHA256

485939cbff47d7081e327309295f67ccb9be619ae72d8334c13157b9ccdf7a00
SHA512

501a8bfd9ddb0409d239cb43b0affd80e2a03aa005b0a72c8505aa03a63f2bdd87c21209a4ed66ff91e6278e21139e616b69ef4aaddb1a755225ea3739a9a825
SSDEEP

768:J2cia+fQNz+HWc+QkLgi3lJxCKSMNRxMgWTwA2zy0YBqon5B7q7q3uMps:J29XfQNz+HWc+QjkMgk06qonP77uqs

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2736	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\phish_alert_sp2_2.0.0.0 (9).eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
eb5f7049fd0c4e024391fad3f248870a

SHA1
b0822f089374c74a5f4a10023fbec7fd220ec9c2

SHA256
dc8b05ad56f94dc87dcb289df3d201da547acf748989f51936f48bb65c76a5f2

SHA512
f84312dadfb6c771205fb125cc3ca1cc99eb5dc007f69ad9e214cc277bb766c3e8efff1f8f39913e89570304ac9feba03a1846c2b082b51a792d22f4ef5d52dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
c90cc34cedb8f89e66356d673373caf6

SHA1
41f70ce56d0b635b17b98a1c4dfc4d47eb4101cd

SHA256
e6e315dec78df4006f1ced87e0c09131cc2c782cec3fb375ed769dedc5ee0711

SHA512
19cb570a2be8c7244543d81dee1d49e8a18340c1f92c59e6e8b721db7ab51fa77cd2321e23b675f202fb5e0a19af6a7e21af53b58ed797c21ebda4eb14f33b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
6bf7f39058a26030cfa661124b5e28c3

SHA1
bd48ea46b91fbd7f66c8f624d6eb515339740837

SHA256
5b2b997d4b0b5f0a7a205b03cab85882c182753306b320e4372f5ca0836b34a7

SHA512
6bd74ed57b3fa94d9451c98be86039e880798b63e988eca235e76766659ba16b8e65de19d770466971c5206188a36186fd291e5b1045e615f687ebfcde3db439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
memory/2736-1-0x00000000739DD000-0x00000000739E8000-memory.dmp

Filesize
44KB

Download
memory/2736-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-124-0x00000000739DD000-0x00000000739E8000-memory.dmp

Filesize
44KB

Download