6f0c7b3a6173dc555b54135f2fbc2525202d8db045af831348e00bc6c6614313

General

Target

d6ad7adb87e18717f64c42a05bb572b1.exe
Size

355KB
MD5

d6ad7adb87e18717f64c42a05bb572b1
SHA1

bf917929f4d9ecb49991137fae7fae7c1759dfb9
SHA256

6f0c7b3a6173dc555b54135f2fbc2525202d8db045af831348e00bc6c6614313
SHA512

8034747963f6440a0372645fe73a6b4feb99c1694feef67ac01a0ccf3b1c1729b44a5294607bcdd399d47748c9fc606ee378f3ab8127927e6429e6756140e761
SSDEEP

6144:nfMKKRsesyDjBjoyljAt/Bmi5Zk71Ygr0JZ/0Ccq+PxySR6y5k1p9:UKKR1V0sEmiPk71YfJZrcJZvP5

Score

7^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001224e-7.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe
2784	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1692-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x000c00000001224e-7.dat	upx
behavioral1/memory/2784-12-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral1/memory/2784-13-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral1/memory/1692-14-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2784-21-0x0000000010000000-0x0000000010086000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	d6ad7adb87e18717f64c42a05bb572b1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msixfz32.dll,OYMmLihwDV"	d6ad7adb87e18717f64c42a05bb572b1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msixfz32.dll	d6ad7adb87e18717f64c42a05bb572b1.exe
File opened for modification	C:\Windows\SysWOW64\msixfz32.dll	d6ad7adb87e18717f64c42a05bb572b1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2104	1692	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1692	d6ad7adb87e18717f64c42a05bb572b1.exe
1692	d6ad7adb87e18717f64c42a05bb572b1.exe
1692	d6ad7adb87e18717f64c42a05bb572b1.exe
1692	d6ad7adb87e18717f64c42a05bb572b1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2784	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	28
PID 1692 wrote to memory of 2104	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	29
PID 1692 wrote to memory of 2104	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	29
PID 1692 wrote to memory of 2104	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	29
PID 1692 wrote to memory of 2104	1692	d6ad7adb87e18717f64c42a05bb572b1.exe	29

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	d6ad7adb87e18717f64c42a05bb572b1.exe

C:\Users\Admin\AppData\Local\Temp\d6ad7adb87e18717f64c42a05bb572b1.exe
"C:\Users\Admin\AppData\Local\Temp\d6ad7adb87e18717f64c42a05bb572b1.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1692
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe msixfz32.dll,OYMmLihwDV
  2⤵
  - Loads dropped DLL
  PID:2784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 284
  2⤵
  - Program crash
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msixfz32.dll

Filesize
171KB

MD5
1d137110c500eb3bd203b2dd8fc824ba

SHA1
cba3351274c3c654223e47a9e562b177c36ea94e

SHA256
0888b44ef56b2622b9f40e098a8faf7a3d716e0bbd1c655a09eaf9a2b14488b0

SHA512
a963808d2ff510c76d33156761ff5bea29b863e85444f5ec8fac025f4c51f8bc0de60f28ef36fc13a177d43537a15cb9c6117c1a54215d08cc6ec3a0b2527f6b

Download Submit
memory/1692-3-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/1692-5-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/1692-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1692-2-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/1692-6-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/1692-1-0x00000000006D0000-0x000000000072A000-memory.dmp

Filesize
360KB

Download
memory/1692-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1692-17-0x00000000006D0000-0x000000000072A000-memory.dmp

Filesize
360KB

Download
memory/1692-18-0x00000000022F0000-0x0000000002376000-memory.dmp

Filesize
536KB

Download
memory/2784-12-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2784-13-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/2784-21-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads