Analysis

  • max time kernel
    145s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 18:59

General

  • Target

    5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3.dll

  • Size

    126KB

  • MD5

    2930d1a61c3e082b983802bf71266ec0

  • SHA1

    9b676931a59da39eac50a08c15d5c4beb22ac366

  • SHA256

    5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3

  • SHA512

    df8038ac7866a9929d56f138380ec75b78723a5a99ce425f394b216f8a30597a90e6f1173269dda06b3a414b0ccab60a6cf1fef2d0047f5ed010d5c7f9aed53b

  • SSDEEP

    3072:Yx7p5EJTJx+Rg/TwY1o9CeQepHOSNGwbQ6kUzlCN9V0869:Yx781URg/eCeZfIUzlC

Malware Config

Signatures

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3.dll,#1
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • outlook_win_path
      PID:4544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads