06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f

General

Target

06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe
Size

3.7MB
MD5

a8e61c3183991dbd0de9cbd69983db89
SHA1

2ea73ba33d50e8c78555f8d9eafb3c436e6fb11d
SHA256

06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f
SHA512

9e3350f3c4dba762cc39551d12eabe80997c1e5293241c5e345646334c042c9f28db55309567fea55c16c277533c24cddf27ff337229038b0b189a5a1d992f49
SSDEEP

98304:bvU6bKreKg1Yl2E1VqNvxLWY4X3OB4UaC:bvFbKRg1YEExbX+B

Score

8^/10

collection discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

77 3364 rundll32.exe
78 3364 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3364 rundll32.exe
3364 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
77	3364	rundll32.exe
78	3364	rundll32.exe

pid	process
3364	rundll32.exe
3364	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 2964 WerFault.exe 06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe

pid	pid_target	process	target process
1488	2964	WerFault.exe	06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3364 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3364	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe

description	pid	process	target process
PID 2964 wrote to memory of 3364	2964	06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe	rundll32.exe
PID 2964 wrote to memory of 3364	2964	06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe	rundll32.exe
PID 2964 wrote to memory of 3364	2964	06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe
"C:\Users\Admin\AppData\Local\Temp\06968dd8e1baf71cf9944c4b6ade43b66de8acfa011204af2e603f1a636b094f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Weheooup.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3364

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24139
3⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 508
2⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2964 -ip 2964
1⤵
PID:2260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Weheooup.dll
Filesize
4.2MB

MD5
0034a85892eb22e607fcb88b1f2f8f30

SHA1
cf29d80bf1e7df37d51dfc611438573d4dd5a400

SHA256
7f3916c3b4de75e641e3eeb170fd63e1912c97fc1ff45e37ad5061df0e69756f

SHA512
93e9ff566b96e239fc9a0c21f0282e5f9e27c607d0ddd73ff410a04aafd9a23fb6b89312a8a6b2083d95ae48bb1f01a5b31f950b849be2aedf3de4e1c764fca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weheooup.dll
Filesize
4.2MB

MD5
0034a85892eb22e607fcb88b1f2f8f30

SHA1
cf29d80bf1e7df37d51dfc611438573d4dd5a400

SHA256
7f3916c3b4de75e641e3eeb170fd63e1912c97fc1ff45e37ad5061df0e69756f

SHA512
93e9ff566b96e239fc9a0c21f0282e5f9e27c607d0ddd73ff410a04aafd9a23fb6b89312a8a6b2083d95ae48bb1f01a5b31f950b849be2aedf3de4e1c764fca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weheooup.dll
Filesize
4.2MB

MD5
0034a85892eb22e607fcb88b1f2f8f30

SHA1
cf29d80bf1e7df37d51dfc611438573d4dd5a400

SHA256
7f3916c3b4de75e641e3eeb170fd63e1912c97fc1ff45e37ad5061df0e69756f

SHA512
93e9ff566b96e239fc9a0c21f0282e5f9e27c607d0ddd73ff410a04aafd9a23fb6b89312a8a6b2083d95ae48bb1f01a5b31f950b849be2aedf3de4e1c764fca6

Download Submit
memory/2964-133-0x0000000002BD0000-0x00000000030B2000-memory.dmp

Filesize
4.9MB

Download
memory/2964-134-0x0000000000400000-0x00000000008EE000-memory.dmp

Filesize
4.9MB

Download
memory/2964-135-0x0000000002845000-0x0000000002BC7000-memory.dmp

Filesize
3.5MB

Download
memory/2964-136-0x0000000000400000-0x00000000008EE000-memory.dmp

Filesize
4.9MB

Download
memory/2964-132-0x0000000002845000-0x0000000002BC7000-memory.dmp

Filesize
3.5MB

Download
memory/2964-143-0x0000000000400000-0x00000000008EE000-memory.dmp

Filesize
4.9MB

Download
memory/3364-146-0x0000000003420000-0x0000000003F91000-memory.dmp

Filesize
11.4MB

Download
memory/3364-150-0x0000000003420000-0x0000000003F91000-memory.dmp

Filesize
11.4MB

Download
memory/3364-141-0x0000000002250000-0x000000000269D000-memory.dmp

Filesize
4.3MB

Download
memory/3364-144-0x0000000002250000-0x000000000269D000-memory.dmp

Filesize
4.3MB

Download
memory/3364-145-0x0000000003420000-0x0000000003F91000-memory.dmp

Filesize
11.4MB

Download
memory/3364-137-0x0000000000000000-mapping.dmp

Download
memory/3364-147-0x0000000003420000-0x0000000003F91000-memory.dmp

Filesize
11.4MB

Download
memory/3364-148-0x0000000004060000-0x00000000041A0000-memory.dmp

Filesize
1.2MB

Download
memory/3364-149-0x0000000004060000-0x00000000041A0000-memory.dmp

Filesize
1.2MB

Download
memory/3364-142-0x0000000002250000-0x000000000269D000-memory.dmp

Filesize
4.3MB

Download
memory/3364-151-0x0000000004060000-0x00000000041A0000-memory.dmp

Filesize
1.2MB

Download
memory/3364-152-0x0000000004060000-0x00000000041A0000-memory.dmp

Filesize
1.2MB

Download
memory/3364-153-0x0000000004060000-0x00000000041A0000-memory.dmp

Filesize
1.2MB

Download
memory/3364-154-0x0000000004060000-0x00000000041A0000-memory.dmp

Filesize
1.2MB

Download
memory/4596-155-0x00007FF66A196890-mapping.dmp

Download
memory/4596-156-0x0000028A47FC0000-0x0000028A48100000-memory.dmp

Filesize
1.2MB

Download
memory/4596-157-0x0000028A47FC0000-0x0000028A48100000-memory.dmp

Filesize
1.2MB

Download
memory/4596-158-0x00000000002B0000-0x000000000054B000-memory.dmp

Filesize
2.6MB

Download
memory/4596-159-0x0000028A46570000-0x0000028A4681C000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads