03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23

General

Target

03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe
Size

367KB
MD5

1693d0a858b8ff3b83852c185880e459
SHA1

5f1536f573d9bfef21a4e15273b5a9852d3d81f1
SHA256

03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23
SHA512

6d8dd1992e225cf825530ff4a0197fc3ad9bef0235f003c638385077b248191fcf0bafbcd5b9019041fab3b9162b7b642c54acf151d1d7897482f34cf8a91d2a
SSDEEP

3072:19UCNIWkLy1K6stSGwm4WV9coNPYPrGN2KZ5EIFo2gM8aycLFxpBnM4y2AM8y+Kq:rEM1zshBjVPYPr9K3z+2DdLF/O

Score

10^/10

collection persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe

description pid process target process

PID 5100 created 2548 5100 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe computerdefaults.exe

description	pid	process	target process
PID 5100 created 2548	5100	03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe	computerdefaults.exe

Blocklisted process makes network request 12 IoCs

Processes:

rundll32.exe

flow	pid	process
17	2164	rundll32.exe
91	2164	rundll32.exe
93	2164	rundll32.exe
94	2164	rundll32.exe
95	2164	rundll32.exe
96	2164	rundll32.exe
97	2164	rundll32.exe
98	2164	rundll32.exe
99	2164	rundll32.exe
102	2164	rundll32.exe
104	2164	rundll32.exe
105	2164	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oAukgeyMwyXUDpXvLAtaFtLKJ\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\oAukgeyMwyXUDpXvLAtaFtLKJ"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2164 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

101 icanhazip.com
103 ip-api.com

flow	ioc
101	icanhazip.com
103	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

rundll32.exe

pid	process
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe
2164	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

rundll32.exe

pid process

2164 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeLoadDriverPrivilege 2164 rundll32.exe
Token: SeDebugPrivilege 2164 rundll32.exe

description	pid	process
Token: SeLoadDriverPrivilege	2164	rundll32.exe
Token: SeDebugPrivilege	2164	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 5100 wrote to memory of 2164	5100	03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe	rundll32.exe
PID 5100 wrote to memory of 2164	5100	03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe	rundll32.exe
PID 2164 wrote to memory of 4448	2164	rundll32.exe	cmd.exe
PID 2164 wrote to memory of 4448	2164	rundll32.exe	cmd.exe
PID 4448 wrote to memory of 1224	4448	cmd.exe	chcp.com
PID 4448 wrote to memory of 1224	4448	cmd.exe	chcp.com
PID 4448 wrote to memory of 1528	4448	cmd.exe	netsh.exe
PID 4448 wrote to memory of 1528	4448	cmd.exe	netsh.exe
PID 4448 wrote to memory of 776	4448	cmd.exe	findstr.exe
PID 4448 wrote to memory of 776	4448	cmd.exe	findstr.exe
PID 2164 wrote to memory of 2828	2164	rundll32.exe	cmd.exe
PID 2164 wrote to memory of 2828	2164	rundll32.exe	cmd.exe
PID 2828 wrote to memory of 1532	2828	cmd.exe	chcp.com
PID 2828 wrote to memory of 1532	2828	cmd.exe	chcp.com
PID 2828 wrote to memory of 4148	2828	cmd.exe	netsh.exe
PID 2828 wrote to memory of 4148	2828	cmd.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe
"C:\Users\Admin\AppData\Local\Temp\03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1664

C:\Windows\System32\computerdefaults.exe
C:\Windows\System32\computerdefaults.exe
2⤵
PID:2548

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\ProgramData\updateTask.dll, Entry
3⤵
- Blocklisted process makes network request
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2164

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1224

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:1528

C:\Windows\system32\findstr.exe
findstr All
5⤵
PID:776

C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1532

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\updateTask.dll
Filesize
497KB

MD5
377f617ccd4aa09287d5221d5d8e1228

SHA1
288358deaa053b30596100c9841a7d6d1616908d

SHA256
f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712

SHA512
c990868c093b1eed64d1b35e75a6116cdffd4995be781bb714b1c365d7af8cc5a3b982e08aa863eb3a2829520a86d6758765ae7db1c4971820c5f95697777031

Download Submit
C:\ProgramData\updateTask.dll
Filesize
497KB

MD5
377f617ccd4aa09287d5221d5d8e1228

SHA1
288358deaa053b30596100c9841a7d6d1616908d

SHA256
f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712

SHA512
c990868c093b1eed64d1b35e75a6116cdffd4995be781bb714b1c365d7af8cc5a3b982e08aa863eb3a2829520a86d6758765ae7db1c4971820c5f95697777031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
d6feef009f306a0da27282041de55936

SHA1
c0c47611a37b483e80b87480a1db416da88a9aa7

SHA256
6d67916e6546019defb8ebac401eaaea7537641ca59de6de7919f4665e68f62e

SHA512
dedfa04b7895c0980b3995c49fbd4a36f81ec4a6a57eb7de58490be61f437129cfd4564586e41d7647b490848dd2abf0acd856ba9e32941bdcfdcda2e4540e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
Filesize
1KB

MD5
eda3c80c4e119d41ea8403dc7de92935

SHA1
ec60ad93c12892ba780e7d1ab8f25016b20d43dc

SHA256
9e01a1843a9c101af2d98206521e06ef5d7f327ad34eeba66ba06ae2c7345c52

SHA512
357770dbb928ff0eb40080e739da1dbe87010f424f8eb95b44d66fa8eaff504f1b90b32e8bf3d4ed9574643cfd92f48fbbae012104c7c644beba46ba0539f397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
65d5497f2f7277340fc0b4862151c451

SHA1
1421e15fb74afe85d63d6d482fcabf8bb901a770

SHA256
d946fa0aa9da4832af4073054d1cc0e3ac6efaf66778d5fd719032ea37c85bad

SHA512
e80f22391fe9081c28c90c4413295155ab3ea46d45db52911cbcd54a80b5a045f598e15906b7ab94bc534268e8cfda4cdab6307810acd65c63897b543ced9b8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
04ef45ba3bc8ed36bedb33544722d170

SHA1
25cead5dc86bab6e4f2d45f4149a79ff91250b47

SHA256
3a2acb800b9c5a3be4e141d92b40d1d77d23f7825258cd444d643d4edd24cff0

SHA512
4d689d1203970ac144391e2bbdd1c05abb663d1dee86d154ed768bc9e915596bd7a824616d44dfd0daf1072ad9da84d7b41e38d1db7ca4e34d25847280b6d255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
Filesize
482B

MD5
d5b061ce0bb22decac4ad6396a576a18

SHA1
8a874eb22ed9f95ab28f8e91f676a932d358eb5b

SHA256
d1401d3ff4299e8cdde317bfe5406b522c79b6c0d5e6f0de93f8949da1b84f6a

SHA512
4b937ac07e992fe35c6eab7cdfea1402d3f7c559cc6518ac6ce7a5142a5eb70220e1d266179c75203e629c5723a0566b9ac15f036a4cc422ef70d3d4e8a7641b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
f5dcda59960cbbd5be4a17536a4b4098

SHA1
9131fa2ff3cf932bb343e276c29cacb73113597c

SHA256
38baf8b3703fe55e28b9687edd27c9244b55103de03b5c04c6d02d90cbcd518e

SHA512
504b65fb8811340ce0290db832c047b7f2e77284eca4f477bba786cda0134bffad9861a9290331ac9794406c1461d394f9ee3147abe6c5ee28e691e72f3b4a29

Download Submit
memory/776-147-0x0000000000000000-mapping.dmp

Download
memory/1224-145-0x0000000000000000-mapping.dmp

Download
memory/1528-146-0x0000000000000000-mapping.dmp

Download
memory/1532-149-0x0000000000000000-mapping.dmp

Download
memory/2164-153-0x00007FFE1BCB0000-0x00007FFE1C771000-memory.dmp

Filesize
10.8MB

Download
memory/2164-142-0x0000017D46CA0000-0x0000017D471C8000-memory.dmp

Filesize
5.2MB

Download
memory/2164-143-0x00007FFE1BCB0000-0x00007FFE1C771000-memory.dmp

Filesize
10.8MB

Download
memory/2164-154-0x0000017D4574A000-0x0000017D4574F000-memory.dmp

Filesize
20KB

Download
memory/2164-132-0x0000000000000000-mapping.dmp

Download
memory/2164-141-0x0000017D465A0000-0x0000017D46762000-memory.dmp

Filesize
1.8MB

Download
memory/2164-151-0x0000017D4574A000-0x0000017D4574F000-memory.dmp

Filesize
20KB

Download
memory/2164-152-0x0000017D476B0000-0x0000017D476D2000-memory.dmp

Filesize
136KB

Download
memory/2828-148-0x0000000000000000-mapping.dmp

Download
memory/4148-150-0x0000000000000000-mapping.dmp

Download
memory/4448-144-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads