4726db7fa32f6c204968dd2e4d289d4235254be54fd2150cf7569f91d0b57c01

Analysis

max time kernel
137s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20250328122946-013_RADICAD_74123-bboadam.msg
Size

18.1MB
MD5

d3b2438ea83b35fee618e8b8c535f2b8
SHA1

47f8c99020a84d2c8e16a09b34d57929d817a8f7
SHA256

4726db7fa32f6c204968dd2e4d289d4235254be54fd2150cf7569f91d0b57c01
SHA512

6ec9a5ed837b8395fdd73e1754fe42feb341904d0cd7caf297b7ccf5d5eb66dfa8633f84212ce314210248e40cccdfa474406af2b0a8445f3912c3eaede5c0ae
SSDEEP

393216:36btumBR+q0PRt4IM1MXB+cNVPdVO4zlprkbRU2X0wJpkWrdnXN9X0TGyGYzRSTr:qbtumH1PZ1M8cNVP/llprwrfkOaS+qO

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFile_8.ico	OUTLOOK.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CompressedFolder\EditFlags = 00000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CompressedFolder	OUTLOOK.EXE

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\NKL - Acta Visita 8 Noviembre 2023 - Renta 2019.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\NKL - Acta Visita 8 Noviembre 2023 - Renta 2019 (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\Info Enviada DIAN Acta de Visita 08112023.zip:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\Info Enviada DIAN Acta de Visita 08112023 (2).zip\:Zone.Identifier:$DATA	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1252	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1252	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1252	OUTLOOK.EXE
1116	AcroRd32.exe
1116	AcroRd32.exe
1116	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1116	1252	OUTLOOK.EXE	33
PID 1252 wrote to memory of 1116	1252	OUTLOOK.EXE	33
PID 1252 wrote to memory of 1116	1252	OUTLOOK.EXE	33
PID 1252 wrote to memory of 1116	1252	OUTLOOK.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\20250328122946-013_RADICAD_74123-bboadam.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\NKL - Acta Visita 8 Noviembre 2023 - Renta 2019.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\Info Enviada DIAN Acta de Visita 08112023.zip

Filesize
17.7MB

MD5
f4e05f9c0e5b13136df737c21e633d9b

SHA1
47280caf864ca45703ae9d8bf9e1c84deb055ee0

SHA256
67bd818c04d607763715aa3731f1e28b4af0e06ee93edbf07084299784bc3c6b

SHA512
868d67c570f54292ab76ab421085e976b926ca004efaf8518289411789cdbd6e3edde13b7a4e47119c41a418a081b164a5076b4766ab721deebddeaed84d7a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\NKL - Acta Visita 8 Noviembre 2023 - Renta 2019.pdf

Filesize
132KB

MD5
72e141d862fe5590d34371d4369fb6fd

SHA1
2b98646c095c70763301813b45654adb58625d8f

SHA256
e6a132c37a13f1f2c22e6144f40b1fdf1b7c9728027d21ad802a478e3f68bae6

SHA512
5a77e14a4c6e09ac8625ecbfbc5c525b82f00e0bf34c13a19d70f137a5cd7af502f01887a353556558f1bb164839eabe0e49641357e77fc6fab112961f5feed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\DFSWKNHL\NKL - Acta Visita 8 Noviembre 2023 - Renta 2019.pdf:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6c50f0baa4e8509b7c6606ee6b37ec7b

SHA1
24af92177e2e250a8c697e358818c834c60510f1

SHA256
70f078cc78a19a8f8b6229277f0b0ad0d03db9e420d1cc9dab32bf62e7f6bbb8

SHA512
cfe1edaca83ea74b45510a3ffecb71acbcc39343d6eb25d8ae6a2b8cc65d2ec375ed422edd99c570138f79c72448e0ff8220c412927c645e2751cd8bd8393c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1252-1-0x0000000073B8D000-0x0000000073B98000-memory.dmp

Filesize
44KB

Download
memory/1252-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download