6f1d138c47c7316460a6af976b2b6d9d6ee2387a6a256c0de6297a55336add5b

General

Target

ASSIGNED.exe
Size

481KB
MD5

ae51edf78e690c95c8660fc9a26fd0e7
SHA1

d62b3a89f7a34886cd0e5aab89b56eba0f7b5a03
SHA256

9b5025d4f9cc6a69eff210cb9c6a2571fbb82820bba57b174eead2fad4b50dfa
SHA512

5212f53b96b4d88e3ce5ff4c1a9e2dc5b1d3a5be0e1aa9f7e3c49c8fc63c847eb67830d889962c3b1a5a4474d17af10ce3493c922a35fb415c9653054bf18f60

Score

7^/10

collection

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1072 rundll32.exe

pid	process
1072	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exeMSBuild.exe

pid process

1072 rundll32.exe
632 MSBuild.exe
632 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1072 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 632 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

632 MSBuild.exe

pid	process
1072	rundll32.exe
632	MSBuild.exe
632	MSBuild.exe

pid	process
1072	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	632	MSBuild.exe

pid	process
632	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ASSIGNED.exerundll32.exe

description	pid	process	target process
PID 396 wrote to memory of 1072	396	ASSIGNED.exe	rundll32.exe
PID 396 wrote to memory of 1072	396	ASSIGNED.exe	rundll32.exe
PID 396 wrote to memory of 1072	396	ASSIGNED.exe	rundll32.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe
PID 1072 wrote to memory of 632	1072	rundll32.exe	MSBuild.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\ASSIGNED.exe
"C:\Users\Admin\AppData\Local\Temp\ASSIGNED.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe KnowhowMove,Xylol
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Counterfoil
Filesize
301KB

MD5
22de1a11cfbeee0ad9150b94b2eec1e7

SHA1
57239256b80485fe9637f4c660bc8c4b51de9254

SHA256
89ca06b11fd30f2d0dd53449d12b2ba7597896b49da868176c82cc40f26cb21a

SHA512
2755e5b9769840209f97d83cb4eebe8efd80937db9c8984fee72d212d12a1decfc6f8eaa57dc1bee65e4d904b86f718441164d22d946e624b08908137e78ba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnowhowMove.DLL
Filesize
72KB

MD5
11d85e62b99dbf03d47ac93ee60b6915

SHA1
97eb6906ee2026e923165e85f0ba64d100fe6532

SHA256
5c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8

SHA512
36940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnowhowMove.dll
Filesize
72KB

MD5
11d85e62b99dbf03d47ac93ee60b6915

SHA1
97eb6906ee2026e923165e85f0ba64d100fe6532

SHA256
5c2048e13ad410ed7df298b7626ec1ddd9d0e428e3bb3f869e22713f821a10b8

SHA512
36940a2ac3a62c6247f3cd20a2db6400e0ee619e762135ac52cd9df6d2df81a5dac0311d078b2febdaad8dddb2efad03bd39d1e1aceb30750382c2d81e5925f1

Download Submit
memory/632-140-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp

Filesize
2.0MB

Download
memory/632-138-0x0000000000000000-mapping.dmp

Download
memory/632-139-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp

Filesize
2.0MB

Download
memory/632-142-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp

Filesize
2.0MB

Download
memory/632-143-0x0000000074110000-0x00000000746C1000-memory.dmp

Filesize
5.7MB

Download
memory/632-145-0x0000000000F00000-0x0000000000F06000-memory.dmp

Filesize
24KB

Download
memory/1072-134-0x00000000747C0000-0x0000000074888000-memory.dmp

Filesize
800KB

Download
memory/1072-136-0x0000000075AB0000-0x0000000075B13000-memory.dmp

Filesize
396KB

Download
memory/1072-137-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmp

Filesize
2.0MB

Download
memory/1072-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads