14840382182c94d6000b242f353b4d1eba235f7a645dfd943c4c9d2c93a80e3e

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aff860634fadee66a6e8220e67f7ebc88bfcde7a905a2753655706c0252afd1.dll
Size

126KB
MD5

ad444dcdadfe5ba7901ec58be714cf57
SHA1

61fed673833726bd8261c1c94963ff23c412735a
SHA256

5aff860634fadee66a6e8220e67f7ebc88bfcde7a905a2753655706c0252afd1
SHA512

1fc7ae17ee32ee6654694ff6cda0bce23f2ab4195d18e657223ae45e036974fb63292688e18f72f37f222395646dfbd981fb8b494008ed92922822880fdfeb83
SSDEEP

3072:ox7pOYzBekymWDWCMq6As523HeS9FAiZ87vO2rlL3RnS9:ox7ZNhy/dMq6AO0a7vVlT

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	5064	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5064	rundll32.exe
5064	rundll32.exe
5064	rundll32.exe
5064	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 5064	1668	rundll32.exe	81
PID 1668 wrote to memory of 5064	1668	rundll32.exe	81
PID 1668 wrote to memory of 5064	1668	rundll32.exe	81

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5aff860634fadee66a6e8220e67f7ebc88bfcde7a905a2753655706c0252afd1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5aff860634fadee66a6e8220e67f7ebc88bfcde7a905a2753655706c0252afd1.dll,#1
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_win_path
  PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 792
    3⤵
    - Program crash
    PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5064 -ip 5064
1⤵
PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads