8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe
Size

1.0MB
MD5

113c46ff43811083942746787c74670e
SHA1

4ccf9e38b219780b732f829a67bf4737a58a80bf
SHA256

8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13
SHA512

d9cca0c584c19a0ef8f247a865f8bb9ccb0d92f577ca32597c21fd15c884d14fc8d9c81fc0f0ad43f182a48b72912ef4d04e9c633eb9d3cbf84bb8e36d885488
SSDEEP

24576:Kp/LIlPvXbXPHyJr1zGmWw3fCnJwgPF2BBYR:Kx8lPDshGXwPUJwgonY

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

14 2856 rundll32.exe
54 2856 rundll32.exe
63 2856 rundll32.exe

flow	pid	process
14	2856	rundll32.exe
54	2856	rundll32.exe
63	2856	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ReadOutLoud\Parameters\ServiceDll = "C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\ReadOutLoud.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ReadOutLoud\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2856 rundll32.exe
2708 svchost.exe
2452 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2856	rundll32.exe
2708	svchost.exe
2452	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2856 set thread context of 308 2856 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2856 set thread context of 308	2856	rundll32.exe	rundll32.exe

Drops file in Program Files directory 34 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\index.html	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Compare_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Certificates_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Viewer.aapp	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\ReadOutLoud.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\license.html	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\PDDom.api	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\init.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4964 3612 WerFault.exe 8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe

pid	pid_target	process	target process
4964	3612	WerFault.exe	8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D7F294899AD2AB27487E3042DD6366BE1D34B9F0	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D7F294899AD2AB27487E3042DD6366BE1D34B9F0\Blob = 030000000100000014000000d7f294899ad2ab27487e3042dd6366be1d34b9f020000000010000009b0200003082029730820200a003020102020810ec959d0ccce65d300d06092a864886f70d01010b0500306c312b302906035504030c224469676c436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313132333038323733355a170d3234313132323038323733355a306c312b302906035504030c224469676c436572742048696768204173737572616e636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c3a3bee8968c22001711ada633ecaa690bd720a6173f6eb0b33dfe21aafa5675e0a0fce9bc63dde95fe94cd247a26a4c8d7264fca091523b14e8b23d0465782b8e4e939764b8ef0e7eb679f4dac5dd3800a18788059b4ef91db036f8e8671cfc814fd868241e635b707374a9cc62c3654733a2cf5fccd781d05066229979cc730203010001a3423040300f0603551d130101ff040530030101ff302d0603551d110426302482224469676c436572742048696768204173737572616e636520455620526f6f74204341300d06092a864886f70d01010b0500038181008a08925ae23112735184d811c8dc59a692f10b0e02057bdd133a1e8617b38e560c295b7c90f923d7cafb3a81efd7edc07e6e2a2694d366c4a2e0c05ef505503ffe3beb12fe9e89786ec6b8b2e45b237786f2e009329f25a5b5dd57fd7abc321ca4adb5ede102ee9180619c1ff37130a614528e0234caab46b25805f688271459	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

svchost.exerundll32.exe

pid	process
2708	svchost.exe
2708	svchost.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2856	rundll32.exe
2856	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2856 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

308 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2856	rundll32.exe

pid	process
308	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3612 wrote to memory of 2856	3612	8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe	rundll32.exe
PID 3612 wrote to memory of 2856	3612	8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe	rundll32.exe
PID 3612 wrote to memory of 2856	3612	8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe	rundll32.exe
PID 2856 wrote to memory of 308	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 308	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 308	2856	rundll32.exe	rundll32.exe
PID 2708 wrote to memory of 2452	2708	svchost.exe	rundll32.exe
PID 2708 wrote to memory of 2452	2708	svchost.exe	rundll32.exe
PID 2708 wrote to memory of 2452	2708	svchost.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe
"C:\Users\Admin\AppData\Local\Temp\8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2856

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14212
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:308

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 528
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3612 -ip 3612
1⤵
PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\reference assemblies\microsoft\readoutloud.dll",aipAdmg=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\ReadOutLoud.dll

Filesize
774KB

MD5
f4e27b5f133a3388a49b126e47985a46

SHA1
0a7c9b0a5ecda6873c81487e2122d25e0e3f2c30

SHA256
279b9c284cfa34962392511a8bbb8dcab7bf67c6997fb6bd1a7dd2a043023e1f

SHA512
e50d8d23b621d265751566934f6ce083c6a09a1008a2c2bc030b29f86753cbf118f29f3b9eade06fddd8c18398871ec32d2f477848b71abe50979d9b17359c08

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\ReadOutLoud.dll

Filesize
774KB

MD5
f4e27b5f133a3388a49b126e47985a46

SHA1
0a7c9b0a5ecda6873c81487e2122d25e0e3f2c30

SHA256
279b9c284cfa34962392511a8bbb8dcab7bf67c6997fb6bd1a7dd2a043023e1f

SHA512
e50d8d23b621d265751566934f6ce083c6a09a1008a2c2bc030b29f86753cbf118f29f3b9eade06fddd8c18398871ec32d2f477848b71abe50979d9b17359c08

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml

Filesize
149KB

MD5
95fdba87a0835dce3d259c38ed7f9371

SHA1
cb539d0d5cf31d38ec78c1325ea4c1710b8ec89c

SHA256
f84ae8cef222f02e3fc7d05f76eb8bedc767de9310e8674eda522ae7c45bdd64

SHA512
ce0e66eb46fc6c97d1e05258e38fc58272989101c4f99c5e836a9600d2969f4a256c097da8c3ea6a8b7ee0b9471c3b674cdb88ff6281e7b4eb9e7f439465b96b

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
2e8a1f4e2c4678c174e9f328fc9c0846

SHA1
39a7038d855f22e339bd26e578d02804ed7ec3b4

SHA256
846687ca03420046249f3525dc02ee08099671d8a3f48f42046febff9eedc877

SHA512
21cc574180abb4068293e44eb42820f57d4fc238a7677443997afa289a15c85f6c51311875a2c10edfe974dc56f484da0fe5dfeb2c0a4ca34ab977e1b0c2dd75

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\C2RManifest.powerpointmui.msi.16.en-us.xml

Filesize
27KB

MD5
e9ed7134ebf28fea3f7aa5691a28438a

SHA1
ea1e55c279ed9f8dae333ae436204d8d67d46adf

SHA256
8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

SHA512
535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
7KB

MD5
f4b603547f83e5cb97e4ad4538aac812

SHA1
c225c8c582ad9fdd9e81291fcb4af711deb92508

SHA256
268d79fcfc4de72faeb0433e371176fedcfc0c33b0c9484b02c9936c3c6d4218

SHA512
d285740008ed9e6dbfc4284dfb5418e130f1eb4b2fb758fb2f8e86e0c5c557e050b415eaa66858c37cd95ddfd4ed6a40be77a333f254ec142982d2e3f3cc37cf

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml

Filesize
15KB

MD5
2f71d0396b93381c1fd86bf822612868

SHA1
d0801700dd00a51276f32c6ed19f5b713b5db825

SHA256
0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026

SHA512
67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Tuririiowh.tmp

Filesize
3.5MB

MD5
62ea7726db9fc3a078eb06977f791f23

SHA1
8769e5973394fdbdc5a5e6369e2b53fbabff435f

SHA256
133fbeaf1b021b2d280fa44c58e4008f62e5c6bf513998c51dbbe9aac7df5ba9

SHA512
9cce0d075cb9e3ee8014336151b09482fc98639efc8dec30692c2d923acfa4b1a8d69a0a55467e29476fee164a2239860bcb808618846c30cf9c89ee4734537a

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\resource.xml

Filesize
1KB

MD5
8a660378169f2615d70683a49d6540c9

SHA1
4e78f156eb4b8766568071e81b793f05b9ea7658

SHA256
f288b4ffdb060471a51dcea18c8e104c62cfcd8c37d7a41ee343145b4953cf46

SHA512
754bc1a9c90e4c4ea6cf1881d26c1afbb049870f41ff71c7c943726a1706f6b0b44a2f32742065f9d5eacc54d21cb54b76f5f17315af04614612f9cc58e46648

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\stream.x64.en-us.hash

Filesize
128B

MD5
73f303800be636585f9ec14701cd8d5e

SHA1
456304dc888d5eaa159fa0fa34fc9bcc3bacb633

SHA256
c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace

SHA512
8a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\wmp.ico

Filesize
110KB

MD5
589ff0b7d4d0d3fced65c3eae6559657

SHA1
4be3e4221a429b347888bbe3635e377271974c7f

SHA256
0e96c027d23a57e95103d1b64e4c5b8a153402f05b756dfcb737459476aaae35

SHA512
4a12bac3f61964d6c5608bbb9067d7673cd5e5a22463f6d16f402954045692f43ef1ea32d405f452d415c859c30b217e9d250a1c5c85cfd629bd393824b6523b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp

Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp

Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
\??\c:\program files (x86)\reference assemblies\microsoft\readoutloud.dll

Filesize
774KB

MD5
f4e27b5f133a3388a49b126e47985a46

SHA1
0a7c9b0a5ecda6873c81487e2122d25e0e3f2c30

SHA256
279b9c284cfa34962392511a8bbb8dcab7bf67c6997fb6bd1a7dd2a043023e1f

SHA512
e50d8d23b621d265751566934f6ce083c6a09a1008a2c2bc030b29f86753cbf118f29f3b9eade06fddd8c18398871ec32d2f477848b71abe50979d9b17359c08

Download Submit
memory/308-150-0x0000000000770000-0x0000000000A02000-memory.dmp

Filesize
2.6MB

Download
memory/308-148-0x0000021D1EA70000-0x0000021D1EBB0000-memory.dmp

Filesize
1.2MB

Download
memory/308-147-0x0000021D1EA70000-0x0000021D1EBB0000-memory.dmp

Filesize
1.2MB

Download
memory/308-151-0x0000021D1EC00000-0x0000021D1EEA4000-memory.dmp

Filesize
2.6MB

Download
memory/308-146-0x00007FF7167E6890-mapping.dmp

Download
memory/1652-171-0x0000000000000000-mapping.dmp

Download
memory/2452-166-0x0000000000000000-mapping.dmp

Download
memory/2452-169-0x0000000005320000-0x0000000005E81000-memory.dmp

Filesize
11.4MB

Download
memory/2452-170-0x0000000005320000-0x0000000005E81000-memory.dmp

Filesize
11.4MB

Download
memory/2708-168-0x0000000003C60000-0x00000000047C1000-memory.dmp

Filesize
11.4MB

Download
memory/2708-156-0x0000000003C60000-0x00000000047C1000-memory.dmp

Filesize
11.4MB

Download
memory/2708-173-0x0000000003C60000-0x00000000047C1000-memory.dmp

Filesize
11.4MB

Download
memory/2856-142-0x00000000043C0000-0x0000000004500000-memory.dmp

Filesize
1.2MB

Download
memory/2856-141-0x00000000043C0000-0x0000000004500000-memory.dmp

Filesize
1.2MB

Download
memory/2856-149-0x0000000004439000-0x000000000443B000-memory.dmp

Filesize
8KB

Download
memory/2856-145-0x00000000043C0000-0x0000000004500000-memory.dmp

Filesize
1.2MB

Download
memory/2856-144-0x00000000043C0000-0x0000000004500000-memory.dmp

Filesize
1.2MB

Download
memory/2856-143-0x00000000043C0000-0x0000000004500000-memory.dmp

Filesize
1.2MB

Download
memory/2856-132-0x0000000000000000-mapping.dmp

Download
memory/2856-152-0x0000000004CB0000-0x0000000005811000-memory.dmp

Filesize
11.4MB

Download
memory/2856-140-0x00000000043C0000-0x0000000004500000-memory.dmp

Filesize
1.2MB

Download
memory/2856-139-0x0000000004CB0000-0x0000000005811000-memory.dmp

Filesize
11.4MB

Download
memory/2856-138-0x0000000004CB0000-0x0000000005811000-memory.dmp

Filesize
11.4MB

Download
memory/3380-172-0x0000000000000000-mapping.dmp

Download
memory/3612-137-0x0000000000400000-0x00000000028BA000-memory.dmp

Filesize
36.7MB

Download
memory/3612-136-0x00000000048A0000-0x00000000049C5000-memory.dmp

Filesize
1.1MB

Download
memory/3612-135-0x00000000047B2000-0x0000000004894000-memory.dmp

Filesize
904KB

Download