15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351

General

Target

15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351.exe
Size

194KB
MD5

33149556181719096a9870e2897ad643
SHA1

5595d547b618d4908504fc27acf13e8241f69965
SHA256

15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351
SHA512

0112397627dbd2065fbff3d2645129319aa146cc3d4d177ca42cf001afde9862e0952033997d95a278959fe8cc300ada9563ae6873c64dfa351fa369855919bf
SSDEEP

3072:Uv5ChRQUknU7TfNMXgSrayXVE9y4qQDHg2EPkoTrEsjHZvQ3hl43vpMvxGWqB2cK:dh6zU7T1DylEtDAvPJTrF5vQ37IM

Score

8^/10

collection discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

5 4756 rundll32.exe
6 4756 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4756 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
5	4756	rundll32.exe
6	4756	rundll32.exe

pid	process
4756	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4208 4756 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4208	4756	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4756 rundll32.exe
4756 rundll32.exe
4756 rundll32.exe
4756 rundll32.exe

pid	process
4756	rundll32.exe
4756	rundll32.exe
4756	rundll32.exe
4756	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351.exe

description	pid	process	target process
PID 2748 wrote to memory of 4756	2748	15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351.exe	rundll32.exe
PID 2748 wrote to memory of 4756	2748	15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351.exe
"C:\Users\Admin\AppData\Local\Temp\15940963f5cd71e4a9f686a383211663cc501ffe34ffd9582c1300af4d56b351.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\rundll32.exe
"C:\Users\Admin\AppData\Roaming\nsis_unse56decc.dll",PrintUIEntry |5CQkOhiAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAOVkHwBs8|AtBVIAWf8AbwBoAFgANq8AOQBBQQB4FwBU7wBDAFEtAllIg||sKOgEAgAASP+DxCjDzMzMTP+JRCQYSIlUJL8QSIlMJAhZAUj|i0QkMEiJBCT2fQE4SGsACEjHRNskEC0B6w59ARBI14PAAYsBEH0BQEjtOZIAcyWbA4sMJP9IA8hIi8FIi|VMpwFUdwAD0UiLf8qKCYgI68FiBb9lSIsEJWDz8DP|yUiLUBhIO9H|dDZIg8IgSIv|Akg7wnQqZoP|eEgYdRpMi0D|UGZBgzhrdAfuDRFLdQgNEHgQLv90BUiLAOvVSOuLSPkAwWYAQFNV|1ZXQVRBVUFW+0FXWQFmgTlNWv9Ni|hMi|JIi+|ZD4X88|BMY0n|PEGBPAlQRQDvAA+F6vPwQYuE+wmI8|CFwEiNPO8BD4TWZhGDvAndjC0BD4TH8|BEi|9nIESLXxyLd|8kRItPGEwD4f9MA9lIA|Ezyb9FhckPhKTz8E3|i8RBixBFM9L|SAPTigKEwHT|HUHByg0PvsDe9gABRAPQuxF17P9Bgfqq|A18dP8Og8EBSYPABP9BO8lzaevGi||BD7cMTkWLLP+LTAPrdFgz7b6mEHRRQYsUvQDT|zPJigJMi8Lrtw|BycQRA8jhEAH3QYoA0RDtM8Azn|ZBOwy23BCiAIP|xgGD+Ahy7uv|CkiLy0H|1UnfiQT3g8XgEMQE3ztvGHKvYgFBX|9BXkFdQVxfXvtdWy8XSIHsYAH+YACL6ehm|v||v0iFwA+EmXEgTPWNqwGLJxDIM||o|Zt5II1fBEyNRf9CM9KLy|9UJP1ofCBMi+APhGx6cSBFpBAzwIvTjSBfSIl8JCCiIHB8ID9Ii|APhExxIKIg|1BIjVYIRI1H30BIjYwkgRFIi+|Y6Hz9eiCNVkhq2iAQ3iHM8|DoZ+sgP0SLBo1XCD0goiC9WMYhiYQkgIMS3fbz8IsO1iBYiYwk2G0RAzCNIOgx6yBMi+9dOousKTJIi5z+FjJMiWQkOESNv2dsSTvsSIYgMHdMiVyAAYQk3IMR04aO4yHfIPCsE0iLb9Po5|wBMIqcczL3SI2EczJBgPMhv0mLzEQwGKACg7|pAXXzgbxzMiH|UmV4dUqLhCTd9B4xlCT48|ADwv9IO+hyNUE71P92MESNSUBJK0|UQbgAlACiIEDGIs|4dBdEtDC+MUiN+1NsjSBNK8TobO6AMEiLzqIgeEiFz|90FEyMMBcxSI3fTCRAugPz8P|XZ0iBxHAhXSQAAA==
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4756 -s 240
3⤵
- Program crash
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nsis_unse56decc.dll
Filesize
58KB

MD5
664e46926466a2d4c9b87540f4853c39

SHA1
b172d1c2bde331770b0a944fcf6a9e2d75ded66b

SHA256
92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

SHA512
1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

Download Submit
\Users\Admin\AppData\Roaming\nsis_unse56decc.dll
Filesize
58KB

MD5
664e46926466a2d4c9b87540f4853c39

SHA1
b172d1c2bde331770b0a944fcf6a9e2d75ded66b

SHA256
92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

SHA512
1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

Download Submit
memory/2748-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-122-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-140-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-143-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-141-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-152-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-153-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-154-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-157-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-158-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2748-159-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2748-160-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/4756-161-0x0000000000000000-mapping.dmp

Download
memory/4756-164-0x000002483F3B0000-0x000002483F3B7000-memory.dmp

Filesize
28KB

Download
memory/4756-167-0x00007FF725820000-0x00007FF72591A000-memory.dmp

Filesize
1000KB

Download
memory/4756-168-0x00007FF725820000-0x00007FF72591A000-memory.dmp

Filesize
1000KB

Download
memory/4756-169-0x00007FF725820000-0x00007FF72591A000-memory.dmp

Filesize
1000KB

Download
memory/4756-170-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads