Analysis
-
max time kernel
54s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 20:41
Behavioral task
behavioral1
Sample
ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll
Resource
win10v2004-20220414-en
General
-
Target
ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll
-
Size
499KB
-
MD5
78e9678410027e275631ccc725c30904
-
SHA1
29b43321cc43a815a0bd8f253e446198875dea3f
-
SHA256
ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88
-
SHA512
7aaf15af07888dcced8d34a8cc73df1e6de36e78fc89bbcc4405bca4d9f3768797764d35458514901eeb0caec601ef79f160a6b12693999ba70492bcf232c948
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 1 284 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 284 rundll32.exe 284 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 284 1464 rundll32.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad286a9ef63c68763548711b695d7882ad520544be58b0f6c518591ce96bfe88.dll,#12⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/284-54-0x0000000000000000-mapping.dmp
-
memory/284-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/284-59-0x0000000000270000-0x0000000000293000-memory.dmpFilesize
140KB
-
memory/284-58-0x0000000000270000-0x0000000000293000-memory.dmpFilesize
140KB
-
memory/284-57-0x0000000000270000-0x0000000000293000-memory.dmpFilesize
140KB
-
memory/284-56-0x0000000000270000-0x0000000000293000-memory.dmpFilesize
140KB
-
memory/284-61-0x0000000000270000-0x0000000000293000-memory.dmpFilesize
140KB
-
memory/284-60-0x00000000001B0000-0x00000000001E3000-memory.dmpFilesize
204KB