Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:25
Behavioral task
behavioral1
Sample
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d.dll
Resource
win10v2004-20220901-en
General
-
Target
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d.dll
-
Size
126KB
-
MD5
f6d14701e7c568254151e153f7763672
-
SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6
-
SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
-
SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
SSDEEP
3072:Yx7pOYzBekF3tiINwyP7XSSJds3zhrjPcnqULv429:Yx7ZNhF3vwyOztPc3L
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4912 4376 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1632 wrote to memory of 4376 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 4376 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 4376 1632 rundll32.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d.dll,#12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 8443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4376 -ip 43761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4376-132-0x0000000000000000-mapping.dmp