ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88

General

Target

ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll
Size

499KB
MD5

78e9678410027e275631ccc725c30904
SHA1

29b43321cc43a815a0bd8f253e446198875dea3f
SHA256

ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88
SHA512

7aaf15af07888dcced8d34a8cc73df1e6de36e78fc89bbcc4405bca4d9f3768797764d35458514901eeb0caec601ef79f160a6b12693999ba70492bcf232c948

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

1 284 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
1	284	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

284 rundll32.exe
284 rundll32.exe

pid	process
284	rundll32.exe
284	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 284	1464	rundll32.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll,#1
2⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-54-0x0000000000000000-mapping.dmp

Download
memory/284-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/284-59-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/284-58-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/284-57-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/284-56-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/284-61-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/284-60-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads