7e7263b7b42454388d2c7fe248ee2f214182d600ceac8314f640b97b9558340a

Analysis

max time kernel
360s
max time network
361s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CORREO RESPUESTA SOLICITUD DE INFORMACION.-ACTA SEGUNDA VISITA 2.eml
Size

29.0MB
MD5

92b2fa9b3d2ac576890968af9b2c6804
SHA1

62f4c1792b6e474974310318c03be8521353860a
SHA256

7e7263b7b42454388d2c7fe248ee2f214182d600ceac8314f640b97b9558340a
SHA512

cea547ce575312dc74d36032feb5b7b9cb7119052a3de43fb8c7443dd410698a357a5616fe85a9167072c7cd7110beae0026446ad564a6274723ef05bf3c00db
SSDEEP

49152:XG0n/xs80E3nGcHQIkZ4rD4I4Qrg6qRLGPzXa4cYTf78XCU731vEsvKGTnnUPoMk:y

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFile_8.ico	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ = "_OlkFrameHeader"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ = "_RuleCondition"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ = "_TaskRequestItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\ = "_SenderInAddressListRuleCondition"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE

NTFS ADS 14 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL4548 MERCADERIA VALLEDUPAR.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL4548 MERCADERIA VALLEDUPAR (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4712 MERCADERIA FUNZA.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4712 MERCADERIA FUNZA (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL88 Mercaderia Medellin (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4733 MERCADERIA IBAGUE.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4733 MERCADERIA IBAGUE (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4751 MERCADERIA VILLAVICENCIO.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4751 MERCADERIA VILLAVICENCIO (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4748 MERCADERIA FUNZA.pdf:Zone.Identifier	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL88 Mercaderia Medellin.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4748 MERCADERIA FUNZA (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL68 Mercaderia Bucaramanga.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL68 Mercaderia Bucaramanga (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2084	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2084	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
1264	AcroRd32.exe
1264	AcroRd32.exe
1264	AcroRd32.exe
2084	OUTLOOK.EXE
2880	AcroRd32.exe
2880	AcroRd32.exe
2880	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
2608	AcroRd32.exe
536	AcroRd32.exe
536	AcroRd32.exe
536	AcroRd32.exe
2840	AcroRd32.exe
2840	AcroRd32.exe
2840	AcroRd32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1264	2084	OUTLOOK.EXE	32
PID 2084 wrote to memory of 1264	2084	OUTLOOK.EXE	32
PID 2084 wrote to memory of 1264	2084	OUTLOOK.EXE	32
PID 2084 wrote to memory of 1264	2084	OUTLOOK.EXE	32
PID 2084 wrote to memory of 2140	2084	OUTLOOK.EXE	33
PID 2084 wrote to memory of 2140	2084	OUTLOOK.EXE	33
PID 2084 wrote to memory of 2140	2084	OUTLOOK.EXE	33
PID 2084 wrote to memory of 2140	2084	OUTLOOK.EXE	33
PID 2084 wrote to memory of 2880	2084	OUTLOOK.EXE	34
PID 2084 wrote to memory of 2880	2084	OUTLOOK.EXE	34
PID 2084 wrote to memory of 2880	2084	OUTLOOK.EXE	34
PID 2084 wrote to memory of 2880	2084	OUTLOOK.EXE	34
PID 2084 wrote to memory of 2608	2084	OUTLOOK.EXE	35
PID 2084 wrote to memory of 2608	2084	OUTLOOK.EXE	35
PID 2084 wrote to memory of 2608	2084	OUTLOOK.EXE	35
PID 2084 wrote to memory of 2608	2084	OUTLOOK.EXE	35
PID 2084 wrote to memory of 536	2084	OUTLOOK.EXE	36
PID 2084 wrote to memory of 536	2084	OUTLOOK.EXE	36
PID 2084 wrote to memory of 536	2084	OUTLOOK.EXE	36
PID 2084 wrote to memory of 536	2084	OUTLOOK.EXE	36
PID 2084 wrote to memory of 2840	2084	OUTLOOK.EXE	37
PID 2084 wrote to memory of 2840	2084	OUTLOOK.EXE	37
PID 2084 wrote to memory of 2840	2084	OUTLOOK.EXE	37
PID 2084 wrote to memory of 2840	2084	OUTLOOK.EXE	37

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\CORREO RESPUESTA SOLICITUD DE INFORMACION.-ACTA SEGUNDA VISITA 2.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL88 Mercaderia Medellin.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1264
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4733 MERCADERIA IBAGUE.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4751 MERCADERIA VILLAVICENCIO.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4748 MERCADERIA FUNZA.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL68 Mercaderia Bucaramanga.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:536
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL4548 MERCADERIA VALLEDUPAR.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
226KB

MD5
bfb17a61fb2f486f4ed82fd7c584d12f

SHA1
c9933b27f0bac54be7e50260305bfe145a883468

SHA256
abc66b367aea9dd4e1b3e92d8a9e7ce0df959230cda465c32d0e3b2d0032f7ec

SHA512
ef3add1ae706b6e8832fdee49d1a1af18d57a042544032546605e4838847fc7730a3ed05171375450c72905d76c0b1730d8cf8dde1a9c3ea2c5a25ae3a65205f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4712 MERCADERIA FUNZA.pdf

Filesize
106KB

MD5
8951da95466a06f86b3562cf13a93f3c

SHA1
456510ae53d2b9ca5357792af1c0d2c70efe191e

SHA256
4328ecb1324084240c01d2de4d03af4c518a8d16f847de2b545713c72c0749a3

SHA512
317fd8b565a20e75a0bef511bdbc6535e57449c0e97fb602348b424d37fbba42de8679e9a1e69123eeb753d2d13070f19d2deab9dc527f256c34811f35ead288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4733 MERCADERIA IBAGUE.pdf

Filesize
107KB

MD5
314e601cfb7a639d4bff02435d3effa5

SHA1
0661880c056446975b167dbc9c8eec08b848c53f

SHA256
5b9c18620d47e1590162952d857c72e9ebff85df070ce36733fef718abf6a3af

SHA512
7c9e546edc95b451c1f23b047ad447cd2034c505b72cdb2de70d82fae4b983f0ca1a66b58ae2a7d41c1e9fcce4342c0d862e09c737b4402be71dc64f850e77a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4748 MERCADERIA FUNZA.pdf

Filesize
107KB

MD5
6c88fd1b5a20eb3fadd9fcb2a81195f9

SHA1
66ef1583ab4bc6127d772199560c93e8282e39ec

SHA256
1ec93594317f36f3f9b949397bccb3da0593c094e45cff3d4195b74af4ece81b

SHA512
d60412bd6b74bb1525c62955f42dbd62721307fcfe0e300120a8140da1b27fff1eb5ab8e65ca61cb4906c005d9a3d686ed349ca63cbc3c7377138ec077f1a81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL 4751 MERCADERIA VILLAVICENCIO.pdf

Filesize
107KB

MD5
db1f3032975521d3277cdae082cab5da

SHA1
06ba7a3a6132d804580be10f49a4a3a274c2d3a9

SHA256
1806ca1e5381955362673eb795157bc7e2f4daef3dbda3d70133a6630c610c76

SHA512
3258d0e1ef493f14edea1757ec508e1f8791a8586fcffdac2f3669ea011eb664b3d421fb33c811183984d8ebe5db74e88093ee1ee0f73602e13cf2d8dba10fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\NC-CFPL4548 MERCADERIA VALLEDUPAR.pdf

Filesize
107KB

MD5
b139aa368668f7f7c0b3044d3cad9b31

SHA1
da1c0b208604270d26dee09deb6429a0f1dafd5c

SHA256
e0157ba866f1d0399a8762973f99a31c776ead5309fb28dd56098feb80f2e70a

SHA512
e6e4bec98866d15e2cae4e8758eaf40057e375eeaafb2594c6689c3fc1a94ee25f2eb22bc7a35150831045232887c1b5ca418a6ef031056a1ba34724a276454d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL68 Mercaderia Bucaramanga.pdf

Filesize
109KB

MD5
7e3807966ded5c6cbee7cdf7ee8edb77

SHA1
73f26788c6b41dd32b89fcda70fa9f5e02f59fc4

SHA256
2abe869720f18d6236a8a60d0629aab06d93ff1272c6f4f0afa8cba8c1b026a2

SHA512
56eff0d74f51c504c67eea8a65a1aafa0679e4a7164d41ae5519dbf693d83a55a3715848baae7b284f11aef2dd0ade7f7c52774400d538ad7e1dfda40c6d236b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL88 Mercaderia Medellin (2).pdf:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\T4U1EP0T\ND-CFPL88 Mercaderia Medellin.pdf

Filesize
106KB

MD5
a7e4f3c26501e1bc5784f76fd63ba7ef

SHA1
d54d59afbe5d74ca71e261b240dfc5c03cd494ad

SHA256
8be3586b3bb1f05cfa1e34eb910090ea41244ce434d822684706abc9750247fd

SHA512
07049d4ccfd4444519544213ad2b577f4d4cc348c9abac5015f9950af41d85247a78aaf22f54036a2da9921069ba2e0a0280bc3b69cad5d45eddedd2fde8cc88

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\AdobeSysFnt09.lst

Filesize
135KB

MD5
a3e82779d757fb4faf9cc73237c18b8a

SHA1
ea034b8be607b5244f71e3611aea533aba490177

SHA256
d4c9d7a37ef7b1dfa3411ff02127df69b6aab8f3e08abd8dacdaae5fb9fe0d9a

SHA512
b256f6f0e2566d86188ee56c9cf0e5ad28231a92cbea8368a178347ac75fa653f964340db541bddd7c7de7f66b918f2c51a4e8243b504b475c9ac09dd760c44f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0e96e672625ae9b060934b0ceed8dc58

SHA1
ad1e1cfc5815ffd993b5d5d3b129eb435a58cb18

SHA256
2455ea8b22cf9cfe5fd027410177ecb3ac59cbc46a5a016665d8ce45ef65ee63

SHA512
1b368281dbf9e2ba4a8232cf291ff1f57711db4bd69e4cc7c4feb4c28ea0620d53601462439f40b28111e34c20d3d6347305d75b54eaa079b40817bae826de87

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
743fbf13d35777a374a822793046df79

SHA1
8ef8281d36d1f7c7286e4af0bfaebe3172cbad57

SHA256
84717be19c0a0ae5a0c4d8fa0ce043acd8535606f904f1d484c48d067fabc7e5

SHA512
1c2d3e7cb0957f0d78540675645836ab19f9a888b7c44827b2f0994d4ae5ae132cd843524317c500a0a7a77969b211584fe034ada2bc72de66aec394fc9757a6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
26249e3b7318da6d798bfeeeafce4e4b

SHA1
f26929d8675c50126982754156b58707c1970ecf

SHA256
5d72b6ccbd4cd5e0fba9e3a96efb4968a38047e95bfffdffdebe8f1404b7e813

SHA512
33b3c90a988223b8028be616802bb588215f4a098532d04de7106b2c832acc9d08d1e576cdecfec75520d47bcd25df0a79a2f8d91e365497da322444213a45eb

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
14a189fa85b5e4aede2772ec5682b321

SHA1
a3f527c5aeb9da7f1934e964345e5c9b3857e668

SHA256
062e5932d1276a6e142aac90a4dc89d57d8a70a51ae56840d74a8c5522716feb

SHA512
bb0b64276c1e0c0442add25c97f4f564b6e0f13f505091bf70911dddb0a5419a755546baf411f8289c3b9de921f33892ce0796fdf6bfd810302974697223655d

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
770f03bffee2632c09e0248fbafa4d3e

SHA1
ae3b4d9bf303ae7e0d15c8a436c04bd333141251

SHA256
f6ae1f8d6f53cd574587e5c6f24777edb0edcd0740d252a4e109fd7b871718ea

SHA512
560962b5d19274180a4c8c6d112ebbd944e89f962cad4c7157fb3706916460af02a3efb062bc1da8c944100c6a1d6e970228b8afecc695dc605ac5e3b96865fe

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3690ed2f66dab40a04713f45fb597325

SHA1
6d8804b46cba32ab2eca19f2ab1d73323d2b0754

SHA256
0875e9e2ff6e8952d1137fc5714281c59a2c9b23fd37fb8a185ffd839c2521c8

SHA512
efe2d468ce7ccf3f394b3ec0f4b71c04293caabb13aeec9f436bbe5e6e200a9f6ada0b7373f6470d495af599374ca056714a911565d97c57f6e00526cbb2e7eb

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3a3ba481e2eac3ae720ac2f2788ce6e0

SHA1
4c654f796882253b0a67de48ccc0d831dfb6ea0f

SHA256
bc38bf245bcaedccfb8e216e5b11ce226c517dff86954bdf64337a6662634b2f

SHA512
6af33dafdd79e9163bf7f43bf1ec12cc227c33344c089debd13f9852ff5a1fedb6a40918b7170244264d685dd14090a0a03dfe37827d59d0eef5a80d77c7e29f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
eed11e354d2532500c64a78254ee42f5

SHA1
7c1ead927c49a29409a77977cb2a724191d8516b

SHA256
e24726eb2fa998641a6934a4808cf16030b36cd2d9e241691e252a741f4bc044

SHA512
667e20f406455a8a8acb806c7b47ba0b99213e151db97783ddb3a0980e493db46013efc5a8eac54f735a8f004af563d9f4f44285bb574b4d293098288256e163

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
77000076a0102e0f76afd90565cf27e5

SHA1
04906a28dbd0d679190029402ef181efbe49b984

SHA256
5e1f99cbc0597d722559c28ea63c4e0b35612468e32299651c4e2928190d751e

SHA512
81435accff9aa11593b8ac029976113e0f04dce2f5dd15e7353003ad4bed1a49d9e21bb7e8a350ed72fbece1f9c20d2fd746e98beea7018847e9aa1e177bea91

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin

Filesize
70KB

MD5
d851ee3a8d5c2efbe39e575e2f74b0a3

SHA1
3ecf4dc51d0549bbe3429ffcd1dee0667af3ab2b

SHA256
e928f6c5e127210d5f43760884b4101c192b4e9d393653210ba27f54c445d7d4

SHA512
bcf08ac156802136f53f2555f575374e054acfd13e6d17f6cdee420868cd441de7793dc6eb37dfbf8c75aa4bde696fdcd358e783708e5719a3a9aed4327de40d

Download Submit
memory/2084-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2084-124-0x00000000735DD000-0x00000000735E8000-memory.dmp

Filesize
44KB

Download
memory/2084-1-0x00000000735DD000-0x00000000735E8000-memory.dmp

Filesize
44KB

Download
memory/2608-310-0x00000000025C0000-0x00000000025D6000-memory.dmp

Filesize
88KB

Download