467b6c28e3a899fcf8da053d501b2373552d61601590e89cca9e82be65e92502

General

Target

d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
Size

128KB
MD5

35f4bac45ac7ea8aefa86d9bb87131d2
SHA1

a22fbf01e92813377c035de3fe43de01cd1b04f7
SHA256

d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584
SHA512

dbc2b1fae632888fd1fcc45b4a01372c9375c2cbb9c166507d72745fbf8280fc578e673aee4d2c631bd7ff44bcc167af5fc033f706feb14e0a141c5101704460
SSDEEP

3072:q+E6bAMOEVaT421edZs1LhsvlXR4VET421edZs:y5MOy2Os1Cl2MOs

Score

7^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 1 IoCs

pid	Process
2376	outlook.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe"	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\sys32.exe	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
File created	C:\Windows\outlook.exe	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
File opened for modification	C:\Windows\outlook.exe	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
File opened for modification	C:\Windows\sys32.exe	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
File opened for modification	C:\Windows\outlook.cfg	outlook.exe
File created	C:\Windows\crc32.cfg	outlook.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	2376	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outlook.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2376	3504	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe	83
PID 3504 wrote to memory of 2376	3504	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe	83
PID 3504 wrote to memory of 2376	3504	d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe	83

C:\Users\Admin\AppData\Local\Temp\d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe
"C:\Users\Admin\AppData\Local\Temp\d193eb5c3e84f42e152b5170447a12dc6ba79b22cae60496af08e605d1511584.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\outlook.exe
  C:\Windows\outlook.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 24704
    3⤵
    - Program crash
    PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2376 -ip 2376
1⤵
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\outlook.cfg

Filesize
733B

MD5
52c35cb11194f7b701534d66cb84b2dd

SHA1
9aca9cc891759e56aa26bbcfe56e76975bd772b2

SHA256
1f172f1e246a4dae770e0eb83b231b463e9ecac2368aefcc4aa09e2c8ae1c850

SHA512
33253e32dcbbf8bf735ff65825698a8a76fd88f6565b3948fd2a1f6da329bc25e9b7935123c7a38497d1a4e47c6deca3c7f72c6d614b33b82d1e28a584f8cba1

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
9a57c8be93d9e7f8db2b6dc36483b3ed

SHA1
39bc288951d1842e3b04af8c68af8b67cd2659be

SHA256
b0a57b55c0db9c8203ab65297b2f133b0ef4fca92891201b1c94c96eba651cb3

SHA512
78cbf6fefa7585e9ae92f4376a4f052c6d0bcf26ccd93176af9b6b25d39c4ce967f62bd2dcf74fb7aa1b6f93e976439e61690300c2909e8b5f84d32077d963b2

Download Submit
C:\Windows\outlook.exe

Filesize
49KB

MD5
0e9379e357aba95f8b9883af9b67675e

SHA1
280a174a414e5b8588f42b6328af2c8c8ff4394f

SHA256
96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28

SHA512
6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

Download Submit
memory/2376-112-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2376-113-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3504-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3504-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads