Behavioral Report

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 19:55

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

e4d9015e2bed3af0480b51231b68bb23.exe
Size

194KB
MD5

e4d9015e2bed3af0480b51231b68bb23
SHA1

c148f8cc0d8930602a00155cc0f370d2e22a811a
SHA256

893f1df3f71f13731482f53655a5f6470ee00eae87f84e31da4af2950df80cef
SHA512

5bc66c3aac2497c2e3df851dc75011cf529a0fd76ab18280a626c4a2975b07e740ed74cbb6afe9b4ea518d4a2772f5783120c3881ff551ef2be14abb0842c665
SSDEEP

6144:+rdOfeBDRzseSmV7v2PCc4gorppZiG73TAW:+rdOfeia79

Score

10^/10

purecrypter collection downloader loader spyware stealer

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs
loader

Processes:

resource yara_rule

behavioral1/memory/1884-56-0x00000000072E0000-0x00000000075E4000-memory.dmp family_purecrypter
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files

resource	yara_rule
behavioral1/memory/1884-56-0x00000000072E0000-0x00000000075E4000-memory.dmp	family_purecrypter

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

TTPs:

Email Collection

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
6 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description pid process target process

PID 1884 set thread context of 988 1884 e4d9015e2bed3af0480b51231b68bb23.exe e4d9015e2bed3af0480b51231b68bb23.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1280 988 WerFault.exe e4d9015e2bed3af0480b51231b68bb23.exe

flow	ioc
5	ipinfo.io
6	ipinfo.io

description	pid	process	target process
PID 1884 set thread context of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe

pid	pid_target	process	target process
1280	988	WerFault.exe	e4d9015e2bed3af0480b51231b68bb23.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	e4d9015e2bed3af0480b51231b68bb23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e4d9015e2bed3af0480b51231b68bb23.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

TTPs:

Install Root Certificate Modify Registry

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e4d9015e2bed3af0480b51231b68bb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e4d9015e2bed3af0480b51231b68bb23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e4d9015e2bed3af0480b51231b68bb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	e4d9015e2bed3af0480b51231b68bb23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e4d9015e2bed3af0480b51231b68bb23.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

280 powershell.exe

pid	process
280	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exepowershell.exee4d9015e2bed3af0480b51231b68bb23.exe

description	pid	process
Token: SeDebugPrivilege	1884	e4d9015e2bed3af0480b51231b68bb23.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	988	e4d9015e2bed3af0480b51231b68bb23.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exee4d9015e2bed3af0480b51231b68bb23.exe

description	pid	process	target process
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 280	1884	e4d9015e2bed3af0480b51231b68bb23.exe	powershell.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 1884 wrote to memory of 988	1884	e4d9015e2bed3af0480b51231b68bb23.exe	e4d9015e2bed3af0480b51231b68bb23.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe
PID 988 wrote to memory of 1280	988	e4d9015e2bed3af0480b51231b68bb23.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

outlook_win_path 1 IoCs

Processes:

e4d9015e2bed3af0480b51231b68bb23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e4d9015e2bed3af0480b51231b68bb23.exe

C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe

"C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe"

Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:280

C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe

C:\Users\Admin\AppData\Local\Temp\e4d9015e2bed3af0480b51231b68bb23.exe

Accesses Microsoft Outlook profiles
Checks processor information in registry
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path

PID:988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1880

Program crash

PID:1280

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/280-59-0x000000006F320000-0x000000006F8CB000-memory.dmp

Filesize
5MB

Download
memory/280-61-0x000000006F320000-0x000000006F8CB000-memory.dmp

Filesize
5MB

Download
memory/280-60-0x000000006F320000-0x000000006F8CB000-memory.dmp

Filesize
5MB

Download
memory/280-57-0x0000000000000000-mapping.dmp

Download
memory/988-63-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-71-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-76-0x0000000007FD0000-0x0000000008082000-memory.dmp

Filesize
712KB

Download
memory/988-75-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/988-73-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-64-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-67-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-68-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/988-69-0x00000000004D215E-mapping.dmp

Download
memory/1280-77-0x0000000000000000-mapping.dmp

Download
memory/1884-56-0x00000000072E0000-0x00000000075E4000-memory.dmp

Filesize
3MB

Download
memory/1884-54-0x0000000001340000-0x0000000001376000-memory.dmp

Filesize
216KB

Download
memory/1884-62-0x0000000005A60000-0x0000000005B54000-memory.dmp

Filesize
976KB

Download
memory/1884-55-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download