Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 17:42
Static task
static1
Behavioral task
behavioral1
Sample
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
Resource
win10v2004-en-20220112
General
-
Target
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
-
Size
267KB
-
MD5
5478d0872828e7cc05b8c3d59877de57
-
SHA1
b8a74db005723b3431825d188ea7a03c5f7116c9
-
SHA256
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8
-
SHA512
c09553be0d69e75bed30c572a98dc86c5373c2adbedb7be31d1fc1a45b66020b24830be1bdad077015394d8ddc40c9fdeaa687fb91e000a9764b5f5a0a7c08b2
Malware Config
Extracted
smokeloader
2020
http://dollybuster.at/upload/
http://spaldingcompanies.com/upload/
http://remik-franchise.ru/upload/
http://fennsports.com/upload/
http://am1420wbec.com/upload/
http://islamic-city.com/upload/
http://egsagl.com/upload/
http://mordo.ru/upload/
http://piratia-life.ru/upload/
Extracted
icedid
1843818144
grendafolz.com
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
IcedID First Stage Loader 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1484-63-0x00000000003E0000-0x00000000003EB000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exeflow pid process 57 1912 rundll32.exe 60 576 rundll32.exe 61 812 rundll32.exe 63 812 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
9EAF.exeCD3F.exeE736.exepid process 1484 9EAF.exe 632 CD3F.exe 2036 E736.exe -
Deletes itself 1 IoCs
Processes:
pid process 1416 -
Loads dropped DLL 4 IoCs
Processes:
WerFault.exepid process 1416 896 WerFault.exe 896 WerFault.exe 896 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
E736.exeCD3F.exerundll32.exedescription pid process target process PID 2036 set thread context of 812 2036 E736.exe rundll32.exe PID 632 set thread context of 2012 632 CD3F.exe rundll32.exe PID 812 set thread context of 1500 812 rundll32.exe rundll32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\descript.ion rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 896 1484 WerFault.exe 9EAF.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
CD3F.exerundll32.exerundll32.exeE736.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor CD3F.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID E736.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString E736.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CD3F.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status E736.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature CD3F.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID CD3F.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature E736.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information CD3F.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 CD3F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature E736.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier E736.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" -
Modifies registry class 42 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 6a003100000000000000000010004d6f7a696c6c612046697265666f78004c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004d006f007a0069006c006c0061002000460069007200650066006f00780000001e000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 640031000000000000000000100050726f6772616d2046696c657300480008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000500072006f006700720061006d002000460069006c006500730000001c000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe -
Processes:
9EAF.exerundll32.exerundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 9EAF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 9EAF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F298E96813B7A70F30D2066100B5B0F12C49665D rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F298E96813B7A70F30D2066100B5B0F12C49665D\Blob = 030000000100000014000000f298e96813b7a70f30d2066100b5b0f12c49665d20000000010000006e0200003082026a308201d3a00302010202081bedc6ed5a35eeac300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7265204379626572547272737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230303232333138343435305a170d3234303232323138343435305a305a3122302006035504030c1942616c74696d6f7265204379626572547272737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100b885bc1d920d194290c2a3b3d483f607581c3e7b71f9f8a05dce2849c1a9e0f925a0f11b8c49bd86efa139d580289a38735de352c106b7295be103efd52c8890907ec1ea7acbf8cb911d50ba4b74595dff57e18900066e55bb6d710df2c41e9fde62c51e6f5b06c7e19f11b2b821f4c8daaa4c171aba2170398805653f3ae6510203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7265204379626572547272737420526f6f74300d06092a864886f70d01010b0500038181006e798919077ddedcab1637dffe85246f444a47d2407a55643fbfb35b1aaed98e7d182c81c6e2899033abfec5f2151c30e18af8f0cfe3ab39d5aed3c55b232accae6a8abee47c39c5f6529f3eecb4dccb932032e136a2b18d8fb71aacd621113447b52fae0d0efcd63ce288a8de359eccdff63af5d8082c08b18f710ba6f489dc rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 9EAF.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 9EAF.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exepid process 2028 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe 2028 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 1416 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1416 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exepid process 2028 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exerundll32.exedescription pid process Token: SeDebugPrivilege 896 WerFault.exe Token: SeShutdownPrivilege 1416 Token: SeDebugPrivilege 812 rundll32.exe Token: SeShutdownPrivilege 1416 -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 1416 1416 812 rundll32.exe 2012 rundll32.exe 1500 rundll32.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1416 1416 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9EAF.exeCD3F.exeE736.exedescription pid process target process PID 1416 wrote to memory of 1484 1416 9EAF.exe PID 1416 wrote to memory of 1484 1416 9EAF.exe PID 1416 wrote to memory of 1484 1416 9EAF.exe PID 1484 wrote to memory of 896 1484 9EAF.exe WerFault.exe PID 1484 wrote to memory of 896 1484 9EAF.exe WerFault.exe PID 1484 wrote to memory of 896 1484 9EAF.exe WerFault.exe PID 1416 wrote to memory of 632 1416 CD3F.exe PID 1416 wrote to memory of 632 1416 CD3F.exe PID 1416 wrote to memory of 632 1416 CD3F.exe PID 1416 wrote to memory of 632 1416 CD3F.exe PID 1416 wrote to memory of 2036 1416 E736.exe PID 1416 wrote to memory of 2036 1416 E736.exe PID 1416 wrote to memory of 2036 1416 E736.exe PID 1416 wrote to memory of 2036 1416 E736.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 632 wrote to memory of 1912 632 CD3F.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe PID 2036 wrote to memory of 576 2036 E736.exe rundll32.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe"C:\Users\Admin\AppData\Local\Temp\0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2028
-
C:\Users\Admin\AppData\Local\Temp\9EAF.exeC:\Users\Admin\AppData\Local\Temp\9EAF.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1484 -s 8842⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:896
-
C:\Users\Admin\AppData\Local\Temp\CD3F.exeC:\Users\Admin\AppData\Local\Temp\CD3F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1912 -
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2012
-
C:\Users\Admin\AppData\Local\Temp\E736.exeC:\Users\Admin\AppData\Local\Temp\E736.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
PID:576 -
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:812 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141093⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ee0e37deb11cf4a2985c6ed958b13d62
SHA17d8670e51edef13c46a6189734975f43035f601c
SHA256c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94
SHA512bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246
-
MD5
ee0e37deb11cf4a2985c6ed958b13d62
SHA17d8670e51edef13c46a6189734975f43035f601c
SHA256c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94
SHA512bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246
-
MD5
748bbd8633ad346381c0ae69be3a0ca3
SHA1307a99df0a4ca1c550b536d79574497b4b3163eb
SHA25625869e4d0fa9fcfb2446560efe9d2ef6cae8f334508d1ba7cea5e539517e40a9
SHA5127a02ba4eb28a6985b2d4c95fe7ff9cbbc42f93a68db247ef8f58a13fc6b283dd79c594f5b7b5f3b9efc1adedc2d19b476031297bf794cd03c23ce59ad475fca7
-
MD5
748bbd8633ad346381c0ae69be3a0ca3
SHA1307a99df0a4ca1c550b536d79574497b4b3163eb
SHA25625869e4d0fa9fcfb2446560efe9d2ef6cae8f334508d1ba7cea5e539517e40a9
SHA5127a02ba4eb28a6985b2d4c95fe7ff9cbbc42f93a68db247ef8f58a13fc6b283dd79c594f5b7b5f3b9efc1adedc2d19b476031297bf794cd03c23ce59ad475fca7
-
MD5
e301c4e88d2ef3c3a79f12c47d2db55e
SHA15d3904b9cba99d8b643ddf1f6ada00aae3133353
SHA256bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268
SHA512d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820
-
MD5
e301c4e88d2ef3c3a79f12c47d2db55e
SHA15d3904b9cba99d8b643ddf1f6ada00aae3133353
SHA256bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268
SHA512d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820
-
MD5
e301c4e88d2ef3c3a79f12c47d2db55e
SHA15d3904b9cba99d8b643ddf1f6ada00aae3133353
SHA256bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268
SHA512d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820
-
MD5
e301c4e88d2ef3c3a79f12c47d2db55e
SHA15d3904b9cba99d8b643ddf1f6ada00aae3133353
SHA256bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268
SHA512d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820
-
MD5
ee0e37deb11cf4a2985c6ed958b13d62
SHA17d8670e51edef13c46a6189734975f43035f601c
SHA256c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94
SHA512bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246
-
MD5
ee0e37deb11cf4a2985c6ed958b13d62
SHA17d8670e51edef13c46a6189734975f43035f601c
SHA256c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94
SHA512bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246
-
MD5
ee0e37deb11cf4a2985c6ed958b13d62
SHA17d8670e51edef13c46a6189734975f43035f601c
SHA256c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94
SHA512bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246
-
MD5
ee0e37deb11cf4a2985c6ed958b13d62
SHA17d8670e51edef13c46a6189734975f43035f601c
SHA256c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94
SHA512bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246