Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
26-11-2022 21:44
General
-
Target
79e4356a155f57d8d7884bfe8dbfe842d7849ca006ea87bb374b28f314861e47.exe
-
Size
977KB
-
MD5
fc06e866e16215082a0fec1c247cef0d
-
SHA1
e5c86e2fe31be0c72f8402f23392112da518ebda
-
SHA256
79e4356a155f57d8d7884bfe8dbfe842d7849ca006ea87bb374b28f314861e47
-
SHA512
e8f9c901834d10a4abc122cbf900f239d8037bd2450850b0ea1dce0345b95cccd95df607a24c0fd62101574974d1c7cde920e06236e52432140896f76f887e11
-
SSDEEP
24576:Isf+BMC8CLhrQQ5DOjoN33zTu88XF/l3xp:Isf+ACdQQjnv8F/l3xp
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 50 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\79e4356a155f57d8d7884bfe8dbfe842d7849ca006ea87bb374b28f314861e47.exe"C:\Users\Admin\AppData\Local\Temp\79e4356a155f57d8d7884bfe8dbfe842d7849ca006ea87bb374b28f314861e47.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 201493⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\reference assemblies\microsoft\rss.dll",bUkkWThPNGo=2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\0__Power_EnergyEstimationEngine.provxmlFilesize
463B
MD52cf4ea4d03f8a1f424c2db46789ed2e3
SHA150bb43d2589bc86115baac9fcdfcabadeff70c6d
SHA25641d62ac11f8cc15391010f53a7262df090149355b07021fe648d15c24fb45090
SHA512c2dd7c30856006f8eec73402284c86ab35c9daf824f81a33aefa1502d881be0a066da75441bdba97236f6bf3586b77d9e244cc94ccfac8e28fba06c61e9b78e6
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\Isduwyyttes.tmpFilesize
3.5MB
MD5783b85697ce5e14f15fa963736c9a8c3
SHA1b77c39b5d9779c22f1e2f4755a63b94882d363b1
SHA2562fff052f2750bde0675edf2e95b23c354ec1697219a23d2e214c48e4e38151c4
SHA5126417c96d77eb46fb4cd8247170b8df621a69498ee0d38f24acdd50f5a41c7812aa0828bf2c8dc53cdfd74128a6d013b977670fbe244df55ac1ce5d8f67e4eb78
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\MasterDatastore.xmlFilesize
271B
MD5d6650e3886f3c95fb42d4f0762b04173
SHA11da4b8bb6bb45d576616ad843cf6e4c2e9d4784b
SHA2569101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9
SHA5121f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\MasterDescriptor.en-us.xmlFilesize
28KB
MD54bee7862d96900a7b0f20d709ffe5af2
SHA159f4073ff756ee74e83e5d9448e7d6da69f3bf08
SHA256526cb82e083378ccc1a5465f3250f40f9e74bdbc65c58ab9210fc8a88b273e63
SHA512ee0f19e4aa0006b4da4b16522eea9774c09b07d6fae3529992df7f5f47ee1fa49a6ec5b77370be594762ec63f1f6aee4be139e44f2f369f5590777cf95d9be31
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\RunTime.xmlFilesize
258B
MD5a6ce910db1d3e86a0e505f23b5f524bb
SHA1eb45b98744431813ac5223d31709a73c9c158012
SHA256db298408ae34693d9ffbcb1595920503853c89e2f66b0e58f9675dc4b127e58c
SHA512f21e3db718c81f23b5c20f627309ee495af87e39a9449767bd926a78be897435c8af693bc7aa7c29d62ba8bec55a1dee1264312e8faee5cda3beca62172d6aa0
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\msoutilstat.etw.manFilesize
111KB
MD5c1e8b625377c75454266f9d172d2f77d
SHA168ee3ac1b685d68bfdc434f430b6158a98073807
SHA2567847e5ba06ca0a834454a3c62ec343dcaa4339e6ef2ed5bd42e460ade5331628
SHA5121f04e28609f08a8616c7d1ebecfa6949f1eb939b29386365e72d4263dfd13fe81d036c8f9fce41f18b1e008f47b76c7278a00a770542411f751641fe7d756d21
-
C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmpFilesize
767KB
MD5d8ca174a8f3f0c225429e1be1cb6d304
SHA10f2e738b1a35b6072e1d23894468e45fa7dee750
SHA2563d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e
SHA512dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527
-
\??\c:\program files (x86)\reference assemblies\microsoft\rss.dllFilesize
767KB
MD55d9e6b0c027922ebde79d0b6a5a7a54d
SHA13701aabefcc8f9def09eca730b6056c9c01837e1
SHA2566bc9752d720b10d6736da3d8773b8a4a3decf05b111af1c80208e2e8b873ae37
SHA51225540e35d8b9522f8c05e8d0103631374e90660d24c5d49f9fbd595f0b29998ed0631a93749a9d90c9bbd89542accb762475e3306bb74d4a213e0aac6780d569
-
\Program Files (x86)\Reference Assemblies\Microsoft\rss.dllFilesize
767KB
MD55d9e6b0c027922ebde79d0b6a5a7a54d
SHA13701aabefcc8f9def09eca730b6056c9c01837e1
SHA2566bc9752d720b10d6736da3d8773b8a4a3decf05b111af1c80208e2e8b873ae37
SHA51225540e35d8b9522f8c05e8d0103631374e90660d24c5d49f9fbd595f0b29998ed0631a93749a9d90c9bbd89542accb762475e3306bb74d4a213e0aac6780d569
-
\Program Files (x86)\Reference Assemblies\Microsoft\rss.dllFilesize
767KB
MD55d9e6b0c027922ebde79d0b6a5a7a54d
SHA13701aabefcc8f9def09eca730b6056c9c01837e1
SHA2566bc9752d720b10d6736da3d8773b8a4a3decf05b111af1c80208e2e8b873ae37
SHA51225540e35d8b9522f8c05e8d0103631374e90660d24c5d49f9fbd595f0b29998ed0631a93749a9d90c9bbd89542accb762475e3306bb74d4a213e0aac6780d569
-
\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmpFilesize
767KB
MD5d8ca174a8f3f0c225429e1be1cb6d304
SHA10f2e738b1a35b6072e1d23894468e45fa7dee750
SHA2563d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e
SHA512dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527
-
memory/548-416-0x0000000005B60000-0x00000000066D9000-memory.dmpFilesize
11.5MB
-
memory/548-573-0x0000000005B60000-0x00000000066D9000-memory.dmpFilesize
11.5MB
-
memory/2844-149-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-157-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-133-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-134-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-136-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-138-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-137-0x00000000029F0000-0x0000000002AD7000-memory.dmpFilesize
924KB
-
memory/2844-139-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-140-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-141-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-142-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-143-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-144-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-145-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-146-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-147-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-148-0x0000000002AE0000-0x0000000002C00000-memory.dmpFilesize
1.1MB
-
memory/2844-131-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-151-0x0000000000400000-0x0000000000BA6000-memory.dmpFilesize
7.6MB
-
memory/2844-150-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-152-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-153-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-154-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-155-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-156-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-132-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-158-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-160-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-159-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-161-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-162-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-163-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-164-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-168-0x0000000000400000-0x0000000000BA6000-memory.dmpFilesize
7.6MB
-
memory/2844-120-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-130-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-129-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-121-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-122-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-128-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-123-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-127-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-126-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-125-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2844-124-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/2856-437-0x0000000000000000-mapping.dmp
-
memory/2856-536-0x0000000007220000-0x0000000007D99000-memory.dmpFilesize
11.5MB
-
memory/3164-311-0x0000000000000000-mapping.dmp
-
memory/3304-555-0x0000000000000000-mapping.dmp
-
memory/3620-165-0x0000000000000000-mapping.dmp
-
memory/3620-181-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-179-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-174-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-184-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-185-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-188-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-189-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-187-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-186-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-266-0x00000000065B0000-0x0000000007129000-memory.dmpFilesize
11.5MB
-
memory/3620-348-0x00000000065B0000-0x0000000007129000-memory.dmpFilesize
11.5MB
-
memory/3620-166-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-169-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-170-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-167-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-182-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-183-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-180-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-171-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-178-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-177-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-176-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-175-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-173-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3620-172-0x0000000077320000-0x00000000774AE000-memory.dmpFilesize
1.6MB
-
memory/3708-478-0x0000000000000000-mapping.dmp
-
memory/4228-325-0x000001D984790000-0x000001D984A4C000-memory.dmpFilesize
2.7MB
-
memory/4228-289-0x000001D984790000-0x000001D984A4C000-memory.dmpFilesize
2.7MB
-
memory/4228-286-0x0000000000340000-0x00000000005EB000-memory.dmpFilesize
2.7MB
-
memory/4228-281-0x00007FF7ED645FD0-mapping.dmp
-
memory/4624-537-0x0000000000000000-mapping.dmp
-
memory/4704-407-0x0000000000000000-mapping.dmp
-
memory/5092-330-0x0000000000000000-mapping.dmp