Analysis
-
max time kernel
192s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 10:05
Behavioral task
behavioral1
Sample
f6d14701e7c568254151e153f7763672.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f6d14701e7c568254151e153f7763672.dll
Resource
win10v2004-20221111-en
General
-
Target
f6d14701e7c568254151e153f7763672.dll
-
Size
126KB
-
MD5
f6d14701e7c568254151e153f7763672
-
SHA1
4501ffb7284f29cca51b06deba0262b8d33f93f6
-
SHA256
e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
-
SHA512
62c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
SSDEEP
3072:Yx7pOYzBekF3tiINwyP7XSSJds3zhrjPcnqULv429:Yx7ZNhF3vwyOztPc3L
Malware Config
Signatures
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3284 2636 WerFault.exe rundll32.exe 3916 2636 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2932 wrote to memory of 2636 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 2636 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 2636 2932 rundll32.exe rundll32.exe PID 2636 wrote to memory of 3284 2636 rundll32.exe WerFault.exe PID 2636 wrote to memory of 3284 2636 rundll32.exe WerFault.exe PID 2636 wrote to memory of 3284 2636 rundll32.exe WerFault.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d14701e7c568254151e153f7763672.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6d14701e7c568254151e153f7763672.dll,#12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 7883⤵
- Program crash
PID:3284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 7883⤵
- Program crash
PID:3916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2636 -ip 26361⤵PID:2080