Analysis
-
max time kernel
149s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 06:24
Static task
static1
Behavioral task
behavioral1
Sample
2da1d5ec8d9c73fe511d7dca1ccf2b9e00f0fb5ab0f41a97c5359d3d9ae68a09.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2da1d5ec8d9c73fe511d7dca1ccf2b9e00f0fb5ab0f41a97c5359d3d9ae68a09.dll
Resource
win10v2004-20221111-en
General
-
Target
2da1d5ec8d9c73fe511d7dca1ccf2b9e00f0fb5ab0f41a97c5359d3d9ae68a09.dll
-
Size
606KB
-
MD5
214f8f2c1f32401da92b8c705a527adf
-
SHA1
d02f1bc0502a261ab782f6292a1583f939204497
-
SHA256
2da1d5ec8d9c73fe511d7dca1ccf2b9e00f0fb5ab0f41a97c5359d3d9ae68a09
-
SHA512
f1cff12c2439b626b460765e22368911b9fa997190b81a95caa694b8d7241935d1e9d517e57c489cbd8ff9251c8194eac9ec8594b7a814690af0af4aaa80b87a
-
SSDEEP
12288:M4nVZwVq517r6gSTw4CcYZ+1ffrETF+tkwHTkrQ:FSVYr6gD4CVkegrk
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe PID 1416 wrote to memory of 1348 1416 regsvr32.exe regsvr32.exe -
outlook_win_path 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2da1d5ec8d9c73fe511d7dca1ccf2b9e00f0fb5ab0f41a97c5359d3d9ae68a09.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\2da1d5ec8d9c73fe511d7dca1ccf2b9e00f0fb5ab0f41a97c5359d3d9ae68a09.dll2⤵
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:1348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1348-55-0x0000000000000000-mapping.dmp
-
memory/1348-56-0x0000000075F01000-0x0000000075F03000-memory.dmpFilesize
8KB
-
memory/1348-57-0x0000000000270000-0x000000000030D000-memory.dmpFilesize
628KB
-
memory/1416-54-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB