Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2023 14:02
Static task
static1
Behavioral task
behavioral1
Sample
03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe
Resource
win10v2004-20220812-en
General
-
Target
03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe
-
Size
367KB
-
MD5
1693d0a858b8ff3b83852c185880e459
-
SHA1
5f1536f573d9bfef21a4e15273b5a9852d3d81f1
-
SHA256
03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23
-
SHA512
6d8dd1992e225cf825530ff4a0197fc3ad9bef0235f003c638385077b248191fcf0bafbcd5b9019041fab3b9162b7b642c54acf151d1d7897482f34cf8a91d2a
-
SSDEEP
3072:19UCNIWkLy1K6stSGwm4WV9coNPYPrGN2KZ5EIFo2gM8aycLFxpBnM4y2AM8y+Kq:rEM1zshBjVPYPr9K3z+2DdLF/O
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exedescription pid process target process PID 5100 created 2548 5100 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe computerdefaults.exe -
Blocklisted process makes network request 12 IoCs
Processes:
rundll32.exeflow pid process 17 2164 rundll32.exe 91 2164 rundll32.exe 93 2164 rundll32.exe 94 2164 rundll32.exe 95 2164 rundll32.exe 96 2164 rundll32.exe 97 2164 rundll32.exe 98 2164 rundll32.exe 99 2164 rundll32.exe 102 2164 rundll32.exe 104 2164 rundll32.exe 105 2164 rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oAukgeyMwyXUDpXvLAtaFtLKJ\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\oAukgeyMwyXUDpXvLAtaFtLKJ" rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2164 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 101 icanhazip.com 103 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
rundll32.exepid process 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
rundll32.exepid process 2164 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeLoadDriverPrivilege 2164 rundll32.exe Token: SeDebugPrivilege 2164 rundll32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exerundll32.execmd.execmd.exedescription pid process target process PID 5100 wrote to memory of 2164 5100 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe rundll32.exe PID 5100 wrote to memory of 2164 5100 03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe rundll32.exe PID 2164 wrote to memory of 4448 2164 rundll32.exe cmd.exe PID 2164 wrote to memory of 4448 2164 rundll32.exe cmd.exe PID 4448 wrote to memory of 1224 4448 cmd.exe chcp.com PID 4448 wrote to memory of 1224 4448 cmd.exe chcp.com PID 4448 wrote to memory of 1528 4448 cmd.exe netsh.exe PID 4448 wrote to memory of 1528 4448 cmd.exe netsh.exe PID 4448 wrote to memory of 776 4448 cmd.exe findstr.exe PID 4448 wrote to memory of 776 4448 cmd.exe findstr.exe PID 2164 wrote to memory of 2828 2164 rundll32.exe cmd.exe PID 2164 wrote to memory of 2828 2164 rundll32.exe cmd.exe PID 2828 wrote to memory of 1532 2828 cmd.exe chcp.com PID 2828 wrote to memory of 1532 2828 cmd.exe chcp.com PID 2828 wrote to memory of 4148 2828 cmd.exe netsh.exe PID 2828 wrote to memory of 4148 2828 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe"C:\Users\Admin\AppData\Local\Temp\03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
-
C:\Windows\System32\computerdefaults.exeC:\Windows\System32\computerdefaults.exe2⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\ProgramData\updateTask.dll, Entry3⤵
- Blocklisted process makes network request
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\updateTask.dllFilesize
497KB
MD5377f617ccd4aa09287d5221d5d8e1228
SHA1288358deaa053b30596100c9841a7d6d1616908d
SHA256f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712
SHA512c990868c093b1eed64d1b35e75a6116cdffd4995be781bb714b1c365d7af8cc5a3b982e08aa863eb3a2829520a86d6758765ae7db1c4971820c5f95697777031
-
C:\ProgramData\updateTask.dllFilesize
497KB
MD5377f617ccd4aa09287d5221d5d8e1228
SHA1288358deaa053b30596100c9841a7d6d1616908d
SHA256f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712
SHA512c990868c093b1eed64d1b35e75a6116cdffd4995be781bb714b1c365d7af8cc5a3b982e08aa863eb3a2829520a86d6758765ae7db1c4971820c5f95697777031
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771Filesize
1KB
MD5d6feef009f306a0da27282041de55936
SHA1c0c47611a37b483e80b87480a1db416da88a9aa7
SHA2566d67916e6546019defb8ebac401eaaea7537641ca59de6de7919f4665e68f62e
SHA512dedfa04b7895c0980b3995c49fbd4a36f81ec4a6a57eb7de58490be61f437129cfd4564586e41d7647b490848dd2abf0acd856ba9e32941bdcfdcda2e4540e5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86Filesize
1KB
MD5eda3c80c4e119d41ea8403dc7de92935
SHA1ec60ad93c12892ba780e7d1ab8f25016b20d43dc
SHA2569e01a1843a9c101af2d98206521e06ef5d7f327ad34eeba66ba06ae2c7345c52
SHA512357770dbb928ff0eb40080e739da1dbe87010f424f8eb95b44d66fa8eaff504f1b90b32e8bf3d4ed9574643cfd92f48fbbae012104c7c644beba46ba0539f397
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2DFilesize
1KB
MD565d5497f2f7277340fc0b4862151c451
SHA11421e15fb74afe85d63d6d482fcabf8bb901a770
SHA256d946fa0aa9da4832af4073054d1cc0e3ac6efaf66778d5fd719032ea37c85bad
SHA512e80f22391fe9081c28c90c4413295155ab3ea46d45db52911cbcd54a80b5a045f598e15906b7ab94bc534268e8cfda4cdab6307810acd65c63897b543ced9b8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771Filesize
450B
MD504ef45ba3bc8ed36bedb33544722d170
SHA125cead5dc86bab6e4f2d45f4149a79ff91250b47
SHA2563a2acb800b9c5a3be4e141d92b40d1d77d23f7825258cd444d643d4edd24cff0
SHA5124d689d1203970ac144391e2bbdd1c05abb663d1dee86d154ed768bc9e915596bd7a824616d44dfd0daf1072ad9da84d7b41e38d1db7ca4e34d25847280b6d255
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86Filesize
482B
MD5d5b061ce0bb22decac4ad6396a576a18
SHA18a874eb22ed9f95ab28f8e91f676a932d358eb5b
SHA256d1401d3ff4299e8cdde317bfe5406b522c79b6c0d5e6f0de93f8949da1b84f6a
SHA5124b937ac07e992fe35c6eab7cdfea1402d3f7c559cc6518ac6ce7a5142a5eb70220e1d266179c75203e629c5723a0566b9ac15f036a4cc422ef70d3d4e8a7641b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2DFilesize
458B
MD5f5dcda59960cbbd5be4a17536a4b4098
SHA19131fa2ff3cf932bb343e276c29cacb73113597c
SHA25638baf8b3703fe55e28b9687edd27c9244b55103de03b5c04c6d02d90cbcd518e
SHA512504b65fb8811340ce0290db832c047b7f2e77284eca4f477bba786cda0134bffad9861a9290331ac9794406c1461d394f9ee3147abe6c5ee28e691e72f3b4a29
-
memory/776-147-0x0000000000000000-mapping.dmp
-
memory/1224-145-0x0000000000000000-mapping.dmp
-
memory/1528-146-0x0000000000000000-mapping.dmp
-
memory/1532-149-0x0000000000000000-mapping.dmp
-
memory/2164-153-0x00007FFE1BCB0000-0x00007FFE1C771000-memory.dmpFilesize
10.8MB
-
memory/2164-142-0x0000017D46CA0000-0x0000017D471C8000-memory.dmpFilesize
5.2MB
-
memory/2164-143-0x00007FFE1BCB0000-0x00007FFE1C771000-memory.dmpFilesize
10.8MB
-
memory/2164-154-0x0000017D4574A000-0x0000017D4574F000-memory.dmpFilesize
20KB
-
memory/2164-132-0x0000000000000000-mapping.dmp
-
memory/2164-141-0x0000017D465A0000-0x0000017D46762000-memory.dmpFilesize
1.8MB
-
memory/2164-151-0x0000017D4574A000-0x0000017D4574F000-memory.dmpFilesize
20KB
-
memory/2164-152-0x0000017D476B0000-0x0000017D476D2000-memory.dmpFilesize
136KB
-
memory/2828-148-0x0000000000000000-mapping.dmp
-
memory/4148-150-0x0000000000000000-mapping.dmp
-
memory/4448-144-0x0000000000000000-mapping.dmp