Analysis
-
max time kernel
3s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 08:36
Behavioral task
behavioral1
Sample
aa65d0c978d73144b305611ff82a642f.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aa65d0c978d73144b305611ff82a642f.dll
Resource
win10v2004-20220901-en
General
-
Target
aa65d0c978d73144b305611ff82a642f.dll
-
Size
126KB
-
MD5
aa65d0c978d73144b305611ff82a642f
-
SHA1
0dcf4282985484eead485fa6be06a4e9899a6163
-
SHA256
f02c18d019e8ebf282dbfd24ca15e1f2481e2b19cefa887258eca155e583d717
-
SHA512
a88e50eae48c3d7c91893c4d0275cfe3cc1bb0bce893e37ca1eb50a6b1484f0c7b48b2ed6e1507408d59c8b9167491488b400832ab406042f8a5e9823935853b
-
SSDEEP
3072:ox7pOYzBeknmWDWCMq6As523HeS9FAiZ87vO2rlL3Rn29:ox7ZNhn/dMq6AO0a7vVlT
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1780 1492 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1492 rundll32.exe 1492 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1492 1908 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1780 1492 rundll32.exe WerFault.exe PID 1492 wrote to memory of 1780 1492 rundll32.exe WerFault.exe PID 1492 wrote to memory of 1780 1492 rundll32.exe WerFault.exe PID 1492 wrote to memory of 1780 1492 rundll32.exe WerFault.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa65d0c978d73144b305611ff82a642f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa65d0c978d73144b305611ff82a642f.dll,#12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 4563⤵
- Program crash