e41ce0cdf1f1fa1ba9041ec2ec201a22149d5042df8f7caf1e410d720909f605

General

Target

cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe
Size

353KB
MD5

cb14cf7a1f1bbcc551d0ee6bc42d30e3
SHA1

9b41a6898ad99074382f6609c787f55da311c85f
SHA256

e41ce0cdf1f1fa1ba9041ec2ec201a22149d5042df8f7caf1e410d720909f605
SHA512

61556dc90c3679bd0766c940e9761b09ed9eec7228efe4663c8c2847eee04f5569de2c6b0f35f94faffbdea85321ab6222e6c03a9abf167d6e6c9728fc714c04
SSDEEP

6144:iu6gLYOxCgcK4l4XorTwL3FbBDdXHG0wBPCThzyygIcgD/zNo5Onk:/YOwgSl4XUE3FxBm07JydNgrC5

Score

7^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000012255-7.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2384	rundll32.exe
2384	rundll32.exe
2384	rundll32.exe
2384	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x000a000000012255-7.dat	upx
behavioral1/memory/2384-12-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral1/memory/2808-14-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2384-15-0x0000000010000000-0x0000000010087000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msizmg32.dll,UaSeMgcEJ"	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msizmg32.dll	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe
File opened for modification	C:\Windows\SysWOW64\msizmg32.dll	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	2808	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe
2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe
2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe
2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 2384	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	28
PID 2808 wrote to memory of 3040	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	29
PID 2808 wrote to memory of 3040	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	29
PID 2808 wrote to memory of 3040	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	29
PID 2808 wrote to memory of 3040	2808	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe	29

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe

C:\Users\Admin\AppData\Local\Temp\cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe
"C:\Users\Admin\AppData\Local\Temp\cb14cf7a1f1bbcc551d0ee6bc42d30e3.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2808
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe msizmg32.dll,UaSeMgcEJ
  2⤵
  - Loads dropped DLL
  PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 320
  2⤵
  - Program crash
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msizmg32.dll

Filesize
172KB

MD5
e99990009360a36211cd96b07164d23c

SHA1
c7d9aa373a0e93e2e8df9509ee907b2b966b50ad

SHA256
44f8b9521333489312e6ed742217c4ff4f7fc292af61603018a9b45322a51164

SHA512
a9231a82999145bedc40b04f6cc2b8ec4c2cb0583ef99f229027495506f8f1a504afc183e0d4f71f0afee1dbb780714ad318d598dbd824973a4840f5b00b25ec

Download Submit
memory/2384-15-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2384-12-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2384-11-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2808-4-0x0000000001FB0000-0x0000000002037000-memory.dmp

Filesize
540KB

Download
memory/2808-6-0x0000000001FB0000-0x0000000002037000-memory.dmp

Filesize
540KB

Download
memory/2808-3-0x0000000001FB0000-0x0000000002037000-memory.dmp

Filesize
540KB

Download
memory/2808-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2808-2-0x0000000001FB0000-0x0000000002037000-memory.dmp

Filesize
540KB

Download
memory/2808-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2808-1-0x0000000000220000-0x000000000027A000-memory.dmp

Filesize
360KB

Download
memory/2808-16-0x0000000000220000-0x000000000027A000-memory.dmp

Filesize
360KB

Download
memory/2808-18-0x0000000001FB0000-0x0000000002037000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads