Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 15:36
Behavioral task
behavioral1
Sample
6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403.dll
Resource
win7-20220901-en
windows7-x64
2 signatures
150 seconds
General
-
Target
6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403.dll
-
Size
46KB
-
MD5
6ab824fbb8b8b26fcb14b8791d2e2054
-
SHA1
b001cdc9f6735555de8a3b843c4c7d867c197f28
-
SHA256
6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403
-
SHA512
b11ae2185430e269f05e5e0d38de543b730103fcca48a9bbd6518402d8eb9e215d5383e0eed960aca53a22e2959cbe3db67871846531ea1a1f98eb86c6e86ab8
-
SSDEEP
768:7c6gRL3cF1mPUwO2wzkg6iDbU1sz9oDc0kT2w3SFKR7QlORzUmZ:7laL3cFHRRA+5CDcz31dRz3
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4364 wrote to memory of 3540 4364 rundll32.exe 82 PID 4364 wrote to memory of 3540 4364 rundll32.exe 82 PID 4364 wrote to memory of 3540 4364 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403.dll,#12⤵PID:3540
-