icedid | 68cfdbb6b156ddb0502ff19fe6d6f5135f13bb8f7f785167c080e3f580d1ad78

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
22-02-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
Size

267KB
MD5

5478d0872828e7cc05b8c3d59877de57
SHA1

b8a74db005723b3431825d188ea7a03c5f7116c9
SHA256

0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8
SHA512

c09553be0d69e75bed30c572a98dc86c5373c2adbedb7be31d1fc1a45b66020b24830be1bdad077015394d8ddc40c9fdeaa687fb91e000a9764b5f5a0a7c08b2

Score

10^/10

icedid smokeloader 1843818144 backdoor banker collection discovery loader spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://dollybuster.at/upload/

http://spaldingcompanies.com/upload/

http://remik-franchise.ru/upload/

http://fennsports.com/upload/

http://am1420wbec.com/upload/

http://islamic-city.com/upload/

http://egsagl.com/upload/

http://mordo.ru/upload/

http://piratia-life.ru/upload/

rc4.i32

Extracted

Family

icedid

Campaign

1843818144

grendafolz.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1484-63-0x00000000003E0000-0x00000000003EB000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

57 1912 rundll32.exe
60 576 rundll32.exe
61 812 rundll32.exe
63 812 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

9EAF.exeCD3F.exeE736.exe

pid process

1484 9EAF.exe
632 CD3F.exe
2036 E736.exe
Deletes itself 1 IoCs

Processes:

pid process

1416
Loads dropped DLL 4 IoCs

Processes:

WerFault.exe

pid process

1416
896 WerFault.exe
896 WerFault.exe
896 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
57	1912	rundll32.exe
60	576	rundll32.exe
61	812	rundll32.exe
63	812	rundll32.exe

pid	process
1484	9EAF.exe
632	CD3F.exe
2036	E736.exe

pid	process
1416

pid	process
1416
896	WerFault.exe
896	WerFault.exe
896	WerFault.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

E736.exeCD3F.exerundll32.exe

description	pid	process	target process
PID 2036 set thread context of 812	2036	E736.exe	rundll32.exe
PID 632 set thread context of 2012	632	CD3F.exe	rundll32.exe
PID 812 set thread context of 1500	812	rundll32.exe	rundll32.exe

Drops file in Program Files directory 8 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

896 1484 WerFault.exe 9EAF.exe

pid	pid_target	process	target process
896	1484	WerFault.exe	9EAF.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CD3F.exerundll32.exerundll32.exeE736.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CD3F.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	E736.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E736.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CD3F.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	E736.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CD3F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	CD3F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	E736.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	CD3F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	CD3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	E736.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	E736.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 42 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 6a003100000000000000000010004d6f7a696c6c612046697265666f78004c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004d006f007a0069006c006c0061002000460069007200650066006f00780000001e000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 640031000000000000000000100050726f6772616d2046696c657300480008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000500072006f006700720061006d002000460069006c006500730000001c000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9EAF.exerundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	9EAF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	9EAF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F298E96813B7A70F30D2066100B5B0F12C49665D	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F298E96813B7A70F30D2066100B5B0F12C49665D\Blob = 030000000100000014000000f298e96813b7a70f30d2066100b5b0f12c49665d20000000010000006e0200003082026a308201d3a00302010202081bedc6ed5a35eeac300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7265204379626572547272737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230303232333138343435305a170d3234303232323138343435305a305a3122302006035504030c1942616c74696d6f7265204379626572547272737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100b885bc1d920d194290c2a3b3d483f607581c3e7b71f9f8a05dce2849c1a9e0f925a0f11b8c49bd86efa139d580289a38735de352c106b7295be103efd52c8890907ec1ea7acbf8cb911d50ba4b74595dff57e18900066e55bb6d710df2c41e9fde62c51e6f5b06c7e19f11b2b821f4c8daaa4c171aba2170398805653f3ae6510203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7265204379626572547272737420526f6f74300d06092a864886f70d01010b0500038181006e798919077ddedcab1637dffe85246f444a47d2407a55643fbfb35b1aaed98e7d182c81c6e2899033abfec5f2151c30e18af8f0cfe3ab39d5aed3c55b232accae6a8abee47c39c5f6529f3eecb4dccb932032e136a2b18d8fb71aacd621113447b52fae0d0efcd63ce288a8de359eccdff63af5d8082c08b18f710ba6f489dc	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	9EAF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	9EAF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe

pid	process
2028	0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
2028	0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416
1416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1416
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe

pid process

2028 0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe

pid	process
1416

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	896	WerFault.exe
Token: SeShutdownPrivilege	1416
Token: SeDebugPrivilege	812	rundll32.exe
Token: SeShutdownPrivilege	1416

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1416
1416
812 rundll32.exe
2012 rundll32.exe
1500 rundll32.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1416
1416

pid	process
1416
1416
812	rundll32.exe
2012	rundll32.exe
1500	rundll32.exe

pid	process
1416
1416

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9EAF.exeCD3F.exeE736.exe

description	pid	process	target process
PID 1416 wrote to memory of 1484	1416		9EAF.exe
PID 1416 wrote to memory of 1484	1416		9EAF.exe
PID 1416 wrote to memory of 1484	1416		9EAF.exe
PID 1484 wrote to memory of 896	1484	9EAF.exe	WerFault.exe
PID 1484 wrote to memory of 896	1484	9EAF.exe	WerFault.exe
PID 1484 wrote to memory of 896	1484	9EAF.exe	WerFault.exe
PID 1416 wrote to memory of 632	1416		CD3F.exe
PID 1416 wrote to memory of 632	1416		CD3F.exe
PID 1416 wrote to memory of 632	1416		CD3F.exe
PID 1416 wrote to memory of 632	1416		CD3F.exe
PID 1416 wrote to memory of 2036	1416		E736.exe
PID 1416 wrote to memory of 2036	1416		E736.exe
PID 1416 wrote to memory of 2036	1416		E736.exe
PID 1416 wrote to memory of 2036	1416		E736.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 632 wrote to memory of 1912	632	CD3F.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe
PID 2036 wrote to memory of 576	2036	E736.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe
"C:\Users\Admin\AppData\Local\Temp\0418508dcc93da9ade2ed5dd5a18dbcea9d98b394d206abee22bad7deaed54f8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2028

C:\Users\Admin\AppData\Local\Temp\9EAF.exe
C:\Users\Admin\AppData\Local\Temp\9EAF.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1484 -s 884
2⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Users\Admin\AppData\Local\Temp\CD3F.exe
C:\Users\Admin\AppData\Local\Temp\CD3F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1912

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Users\Admin\AppData\Local\Temp\E736.exe
C:\Users\Admin\AppData\Local\Temp\E736.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:576

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14109
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aeesafyftaohi.tmp

MD5
748bbd8633ad346381c0ae69be3a0ca3

SHA1
307a99df0a4ca1c550b536d79574497b4b3163eb

SHA256
25869e4d0fa9fcfb2446560efe9d2ef6cae8f334508d1ba7cea5e539517e40a9

SHA512
7a02ba4eb28a6985b2d4c95fe7ff9cbbc42f93a68db247ef8f58a13fc6b283dd79c594f5b7b5f3b9efc1adedc2d19b476031297bf794cd03c23ce59ad475fca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aeesafyftaohi.tmp

MD5
748bbd8633ad346381c0ae69be3a0ca3

SHA1
307a99df0a4ca1c550b536d79574497b4b3163eb

SHA256
25869e4d0fa9fcfb2446560efe9d2ef6cae8f334508d1ba7cea5e539517e40a9

SHA512
7a02ba4eb28a6985b2d4c95fe7ff9cbbc42f93a68db247ef8f58a13fc6b283dd79c594f5b7b5f3b9efc1adedc2d19b476031297bf794cd03c23ce59ad475fca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD3F.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD3F.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Local\Temp\E736.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
C:\Users\Admin\AppData\Local\Temp\E736.exe

MD5
e301c4e88d2ef3c3a79f12c47d2db55e

SHA1
5d3904b9cba99d8b643ddf1f6ada00aae3133353

SHA256
bdad711d8509ccbb98cac05c70a1f1594dc2006e0fc063eaf0d15a2d7965a268

SHA512
d069254a4d4f0ebc2d56acca3ef40f3b5831070888d332da753e45b0be3895734e5cea3fcf49def11fa7ae6f5de0ddf17de05a60585b3d9cfee99149e6609820

Download Submit
\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5
ee0e37deb11cf4a2985c6ed958b13d62

SHA1
7d8670e51edef13c46a6189734975f43035f601c

SHA256
c1b0455a5a7f7802014ef76bf279e6ec667a3fb89be5d0cef8b356d84642dc94

SHA512
bda678fca4c791822d1166be9b4b2691bf8a8fd7e22a4e766f85cd5700f92cc1721284df9b628909378d9ff8e97a50fd278cd1bd4cfb77bbbb78359c36ff2246

Download Submit
memory/576-149-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download
memory/576-148-0x00000000000D0000-0x00000000000D3000-memory.dmp

Filesize
12KB

Download
memory/576-150-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/576-146-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/576-111-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/576-147-0x00000000000C0000-0x00000000000C3000-memory.dmp

Filesize
12KB

Download
memory/576-144-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/576-145-0x00000000000A0000-0x00000000000A3000-memory.dmp

Filesize
12KB

Download
memory/576-142-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/576-143-0x0000000075410000-0x0000000075411000-memory.dmp

Filesize
4KB

Download
memory/576-112-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/632-220-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/632-73-0x0000000000740000-0x0000000000820000-memory.dmp

Filesize
896KB

Download
memory/632-223-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/632-154-0x0000000002B20000-0x000000000356B000-memory.dmp

Filesize
10.3MB

Download
memory/632-218-0x0000000003737000-0x0000000003738000-memory.dmp

Filesize
4KB

Download
memory/632-72-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/632-89-0x000000007779F000-0x00000000777A0000-memory.dmp

Filesize
4KB

Download
memory/632-74-0x00000000020D0000-0x00000000022F9000-memory.dmp

Filesize
2.2MB

Download
memory/632-75-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/632-213-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/632-76-0x00000000005E9000-0x00000000005F2000-memory.dmp

Filesize
36KB

Download
memory/632-156-0x0000000002B21000-0x000000000356B000-memory.dmp

Filesize
10.3MB

Download
memory/632-206-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/632-184-0x0000000003325000-0x0000000003326000-memory.dmp

Filesize
4KB

Download
memory/632-166-0x0000000002B20000-0x000000000356B000-memory.dmp

Filesize
10.3MB

Download
memory/632-165-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/632-159-0x0000000002B20000-0x000000000356B000-memory.dmp

Filesize
10.3MB

Download
memory/632-160-0x000000007779F000-0x00000000777A0000-memory.dmp

Filesize
4KB

Download
memory/812-230-0x0000000002EE5000-0x0000000002EE6000-memory.dmp

Filesize
4KB

Download
memory/812-214-0x000000007779F000-0x00000000777A0000-memory.dmp

Filesize
4KB

Download
memory/812-215-0x00000000026E0000-0x000000000312B000-memory.dmp

Filesize
10.3MB

Download
memory/812-226-0x000000000336E000-0x000000000336F000-memory.dmp

Filesize
4KB

Download
memory/812-225-0x0000000003307000-0x0000000003308000-memory.dmp

Filesize
4KB

Download
memory/812-217-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/812-212-0x0000000000230000-0x0000000000B5B000-memory.dmp

Filesize
9.2MB

Download
memory/896-70-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/896-64-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

Filesize
8KB

Download
memory/1416-60-0x00000000025A0000-0x00000000025B6000-memory.dmp

Filesize
88KB

Download
memory/1484-63-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/1500-249-0x0000000000200000-0x00000000003E3000-memory.dmp

Filesize
1.9MB

Download
memory/1500-250-0x0000000001F10000-0x0000000002102000-memory.dmp

Filesize
1.9MB

Download
memory/1912-78-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1912-121-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/1912-79-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/1912-106-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1912-107-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/1912-132-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1912-130-0x0000000000150000-0x0000000000152000-memory.dmp

Filesize
8KB

Download
memory/1912-108-0x0000000075410000-0x0000000075411000-memory.dmp

Filesize
4KB

Download
memory/1912-129-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/1912-115-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/1912-127-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1912-117-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/1912-125-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/1912-119-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1912-123-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/2012-231-0x0000000002ED5000-0x0000000002ED6000-memory.dmp

Filesize
4KB

Download
memory/2012-228-0x00000000026D0000-0x000000000311B000-memory.dmp

Filesize
10.3MB

Download
memory/2012-229-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2012-227-0x000000007779F000-0x00000000777A0000-memory.dmp

Filesize
4KB

Download
memory/2012-224-0x00000000001E0000-0x0000000000B0B000-memory.dmp

Filesize
9.2MB

Download
memory/2012-236-0x0000000003447000-0x0000000003448000-memory.dmp

Filesize
4KB

Download
memory/2028-55-0x000000000065D000-0x000000000066E000-memory.dmp

Filesize
68KB

Download
memory/2028-58-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2028-57-0x000000000065D000-0x000000000066E000-memory.dmp

Filesize
68KB

Download
memory/2028-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2028-56-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/2036-158-0x0000000002B00000-0x000000000354B000-memory.dmp

Filesize
10.3MB

Download
memory/2036-186-0x0000000003305000-0x0000000003306000-memory.dmp

Filesize
4KB

Download
memory/2036-216-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2036-164-0x0000000002B00000-0x000000000354B000-memory.dmp

Filesize
10.3MB

Download
memory/2036-209-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2036-189-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2036-208-0x00000000038C7000-0x00000000038C8000-memory.dmp

Filesize
4KB

Download
memory/2036-207-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/2036-163-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2036-109-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/2036-157-0x0000000002B01000-0x000000000354B000-memory.dmp

Filesize
10.3MB

Download
memory/2036-135-0x0000000000400000-0x0000000000635000-memory.dmp

Filesize
2.2MB

Download
memory/2036-155-0x0000000002B00000-0x000000000354B000-memory.dmp

Filesize
10.3MB

Download