e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d

Analysis

max time kernel
192s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d14701e7c568254151e153f7763672.dll
Size

126KB
MD5

f6d14701e7c568254151e153f7763672
SHA1

4501ffb7284f29cca51b06deba0262b8d33f93f6
SHA256

e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
SHA512

62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
SSDEEP

3072:Yx7pOYzBekF3tiINwyP7XSSJds3zhrjPcnqULv429:Yx7ZNhF3vwyOztPc3L

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3284 2636 WerFault.exe rundll32.exe
3916 2636 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

2636 rundll32.exe
2636 rundll32.exe
2636 rundll32.exe
2636 rundll32.exe

pid	pid_target	process	target process
3284	2636	WerFault.exe	rundll32.exe
3916	2636	WerFault.exe	rundll32.exe

pid	process
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2932 wrote to memory of 2636	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 2636	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 2636	2932	rundll32.exe	rundll32.exe
PID 2636 wrote to memory of 3284	2636	rundll32.exe	WerFault.exe
PID 2636 wrote to memory of 3284	2636	rundll32.exe	WerFault.exe
PID 2636 wrote to memory of 3284	2636	rundll32.exe	WerFault.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d14701e7c568254151e153f7763672.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d14701e7c568254151e153f7763672.dll,#1
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 788
3⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 788
3⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2636 -ip 2636
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-132-0x0000000000000000-mapping.dmp

Download
memory/3284-133-0x0000000000000000-mapping.dmp

Download