Analysis
-
max time kernel
57s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 10:05
Behavioral task
behavioral1
Sample
f6d14701e7c568254151e153f7763672.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f6d14701e7c568254151e153f7763672.dll
Resource
win10v2004-20221111-en
General
-
Target
f6d14701e7c568254151e153f7763672.dll
-
Size
126KB
-
MD5
f6d14701e7c568254151e153f7763672
-
SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6
-
SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
-
SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
SSDEEP
3072:Yx7pOYzBekF3tiINwyP7XSSJds3zhrjPcnqULv429:Yx7ZNhF3vwyOztPc3L
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1116 752 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 752 rundll32.exe 752 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 752 1172 rundll32.exe rundll32.exe PID 752 wrote to memory of 1116 752 rundll32.exe WerFault.exe PID 752 wrote to memory of 1116 752 rundll32.exe WerFault.exe PID 752 wrote to memory of 1116 752 rundll32.exe WerFault.exe PID 752 wrote to memory of 1116 752 rundll32.exe WerFault.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d14701e7c568254151e153f7763672.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d14701e7c568254151e153f7763672.dll,#12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 4563⤵
- Program crash