Analysis
-
max time kernel
193s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 07:11
Static task
static1
Behavioral task
behavioral1
Sample
06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe
Resource
win10v2004-20221111-en
General
-
Target
06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe
-
Size
3.7MB
-
MD5
a8e61c3183991dbd0de9cbd69983db89
-
SHA1
2ea73ba33d50e8c78555f8d9eafb3c436e6fb11d
-
SHA256
06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f
-
SHA512
9e3350f3c4dba762cc39551d12eabe80997c1e5293241c5e345646334c042c9f28db55309567fea55c16c277533c24cddf27ff337229038b0b189a5a1d992f49
-
SSDEEP
98304:bvU6bKreKg1Yl2E1VqNvxLWY4X3OB4UaC:bvFbKRg1YEExbX+B
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 77 3364 rundll32.exe 78 3364 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 3364 rundll32.exe 3364 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1488 2964 WerFault.exe 06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe -
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3364 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exedescription pid process target process PID 2964 wrote to memory of 3364 2964 06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe rundll32.exe PID 2964 wrote to memory of 3364 2964 06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe rundll32.exe PID 2964 wrote to memory of 3364 2964 06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe rundll32.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe"C:\Users\Admin\AppData\Local\Temp\06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Weheooup.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 241393⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2964 -ip 29641⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Weheooup.dllFilesize
4.2MB
MD50034a85892eb22e607fcb88b1f2f8f30
SHA1cf29d80bf1e7df37d51dfc611438573d4dd5a400
SHA2567f3916c3b4de75e641e3eeb170fd63e1912c97fc1ff45e37ad5061df0e69756f
SHA51293e9ff566b96e239fc9a0c21f0282e5f9e27c607d0ddd73ff410a04aafd9a23fb6b89312a8a6b2083d95ae48bb1f01a5b31f950b849be2aedf3de4e1c764fca6
-
C:\Users\Admin\AppData\Local\Temp\Weheooup.dllFilesize
4.2MB
MD50034a85892eb22e607fcb88b1f2f8f30
SHA1cf29d80bf1e7df37d51dfc611438573d4dd5a400
SHA2567f3916c3b4de75e641e3eeb170fd63e1912c97fc1ff45e37ad5061df0e69756f
SHA51293e9ff566b96e239fc9a0c21f0282e5f9e27c607d0ddd73ff410a04aafd9a23fb6b89312a8a6b2083d95ae48bb1f01a5b31f950b849be2aedf3de4e1c764fca6
-
C:\Users\Admin\AppData\Local\Temp\Weheooup.dllFilesize
4.2MB
MD50034a85892eb22e607fcb88b1f2f8f30
SHA1cf29d80bf1e7df37d51dfc611438573d4dd5a400
SHA2567f3916c3b4de75e641e3eeb170fd63e1912c97fc1ff45e37ad5061df0e69756f
SHA51293e9ff566b96e239fc9a0c21f0282e5f9e27c607d0ddd73ff410a04aafd9a23fb6b89312a8a6b2083d95ae48bb1f01a5b31f950b849be2aedf3de4e1c764fca6
-
memory/2964-133-0x0000000002BD0000-0x00000000030B2000-memory.dmpFilesize
4.9MB
-
memory/2964-134-0x0000000000400000-0x00000000008EE000-memory.dmpFilesize
4.9MB
-
memory/2964-135-0x0000000002845000-0x0000000002BC7000-memory.dmpFilesize
3.5MB
-
memory/2964-136-0x0000000000400000-0x00000000008EE000-memory.dmpFilesize
4.9MB
-
memory/2964-132-0x0000000002845000-0x0000000002BC7000-memory.dmpFilesize
3.5MB
-
memory/2964-143-0x0000000000400000-0x00000000008EE000-memory.dmpFilesize
4.9MB
-
memory/3364-146-0x0000000003420000-0x0000000003F91000-memory.dmpFilesize
11.4MB
-
memory/3364-150-0x0000000003420000-0x0000000003F91000-memory.dmpFilesize
11.4MB
-
memory/3364-141-0x0000000002250000-0x000000000269D000-memory.dmpFilesize
4.3MB
-
memory/3364-144-0x0000000002250000-0x000000000269D000-memory.dmpFilesize
4.3MB
-
memory/3364-145-0x0000000003420000-0x0000000003F91000-memory.dmpFilesize
11.4MB
-
memory/3364-137-0x0000000000000000-mapping.dmp
-
memory/3364-147-0x0000000003420000-0x0000000003F91000-memory.dmpFilesize
11.4MB
-
memory/3364-148-0x0000000004060000-0x00000000041A0000-memory.dmpFilesize
1.2MB
-
memory/3364-149-0x0000000004060000-0x00000000041A0000-memory.dmpFilesize
1.2MB
-
memory/3364-142-0x0000000002250000-0x000000000269D000-memory.dmpFilesize
4.3MB
-
memory/3364-151-0x0000000004060000-0x00000000041A0000-memory.dmpFilesize
1.2MB
-
memory/3364-152-0x0000000004060000-0x00000000041A0000-memory.dmpFilesize
1.2MB
-
memory/3364-153-0x0000000004060000-0x00000000041A0000-memory.dmpFilesize
1.2MB
-
memory/3364-154-0x0000000004060000-0x00000000041A0000-memory.dmpFilesize
1.2MB
-
memory/4596-155-0x00007FF66A196890-mapping.dmp
-
memory/4596-156-0x0000028A47FC0000-0x0000028A48100000-memory.dmpFilesize
1.2MB
-
memory/4596-157-0x0000028A47FC0000-0x0000028A48100000-memory.dmpFilesize
1.2MB
-
memory/4596-158-0x00000000002B0000-0x000000000054B000-memory.dmpFilesize
2.6MB
-
memory/4596-159-0x0000028A46570000-0x0000028A4681C000-memory.dmpFilesize
2.7MB