Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 12:13
Behavioral task
behavioral1
Sample
cfc6b391c6c864f071a89476968391967a0df97e2cbbaf20fd9b410917530c85.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cfc6b391c6c864f071a89476968391967a0df97e2cbbaf20fd9b410917530c85.dll
Resource
win10v2004-20220812-en
General
-
Target
cfc6b391c6c864f071a89476968391967a0df97e2cbbaf20fd9b410917530c85.dll
-
Size
238KB
-
MD5
5a9d72cb87e70facf9b8fd657c3dd2e0
-
SHA1
913380e9958f868fbba8637e5b9e907dfa2a12e2
-
SHA256
cfc6b391c6c864f071a89476968391967a0df97e2cbbaf20fd9b410917530c85
-
SHA512
bb182dfec88154da0770bd60a0ca72f4f921200234c9294fb92105b6fbbaa34b6aeb6d5c47bddcb09eeccc34a71472dbeffaa6fb7304af6bdf1aa876ac593138
-
SSDEEP
6144:b9iKMmS/eOvbuM7TIxvyZTUJ/ee50gxpNOkGMhP:ZM3/eSuMPIxvHJ/eoltP
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2500-133-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral2/memory/2500-134-0x0000000000400000-0x00000000004AD000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 5084 wrote to memory of 2500 5084 regsvr32.exe regsvr32.exe PID 5084 wrote to memory of 2500 5084 regsvr32.exe regsvr32.exe PID 5084 wrote to memory of 2500 5084 regsvr32.exe regsvr32.exe -
outlook_win_path 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\cfc6b391c6c864f071a89476968391967a0df97e2cbbaf20fd9b410917530c85.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\cfc6b391c6c864f071a89476968391967a0df97e2cbbaf20fd9b410917530c85.dll2⤵
- Accesses Microsoft Outlook profiles
- outlook_win_path