104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62

Analysis

max time kernel
52s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-12-2022 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62.dll
Size

126KB
MD5

aebf8cd9ea982decded5ee6f3777c6d7
SHA1

406e723158cd5697503d1d04839d3bc7a5051603
SHA256

104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512

f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
SSDEEP

3072:ox7pOYzBekuOmWDWCMq6As523HeS9FAiZ87vO2rlL3Rn+9:ox7ZNhH/dMq6AO0a7vVlT

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4848	4556	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4556	rundll32.exe
4556	rundll32.exe
4556	rundll32.exe
4556	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4556	4760	rundll32.exe	66
PID 4760 wrote to memory of 4556	4760	rundll32.exe	66
PID 4760 wrote to memory of 4556	4760	rundll32.exe	66

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62.dll,#1
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_win_path
  PID:4556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 744
    3⤵
    - Program crash
    PID:4848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4556-121-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-122-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-123-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-124-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-125-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-126-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-127-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-128-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-129-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-130-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-131-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-133-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-132-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-134-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-135-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-136-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-138-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-139-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-137-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-140-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-141-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-142-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-143-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-144-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-145-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-147-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-146-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-148-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-149-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-150-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-151-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-152-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-153-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-154-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-155-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-156-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-157-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-158-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-159-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-160-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-163-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-164-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-161-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-162-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-165-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-166-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-167-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-168-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-169-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-171-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-172-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-173-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-174-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-175-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-170-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-176-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-177-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-179-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-178-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-180-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-182-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-183-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-184-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download
memory/4556-181-0x0000000077850000-0x00000000779DE000-memory.dmp

Filesize
1.6MB

Download