Analysis
-
max time kernel
131s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe
Resource
win10v2004-20220901-en
General
-
Target
9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe
-
Size
1.0MB
-
MD5
be0a43bf4b9676686ecaaef74015bf60
-
SHA1
03449f9f7532f7d69890717d9e39bada9170a72b
-
SHA256
9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7
-
SHA512
8af63dab5f4164ec8a5f946b53b4b14e1b268caaf6f5df9724add30c1dd030e9b9944794e3e3fe8bd10961b07332703fe51e3eed18b4067d0a239fae3934dd2e
-
SSDEEP
24576:xPFsSP/HfxreDSs/NaGCvYJq6FB7zGP0UsGgSaA:xtxP/HjyJbg6FB7zGP0H
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 7 5008 rundll32.exe 8 5008 rundll32.exe 44 5008 rundll32.exe 46 5008 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\Parameters\ServiceDll = "C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\reviews_sent.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 5008 rundll32.exe 3020 svchost.exe 3612 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 5008 set thread context of 3680 5008 rundll32.exe rundll32.exe -
Drops file in Program Files directory 35 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\reviews_sent.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp rundll32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Stamp.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll rundll32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\sendforsignature.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll rundll32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\share.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg rundll32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\tr.gif rundll32.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\CollectSignatures.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1732 632 WerFault.exe 9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe -
Checks processor information in registry 2 TTPs 60 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AE2744E51DE53C1DD15725F095696170945096D1 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AE2744E51DE53C1DD15725F095696170945096D1\Blob = 030000000100000014000000ae2744e51de53c1dd15725f095696170945096d120000000010000006a02000030820266308201cfa00302010202082bb420e23abd7a79300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e7169636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313132333130323430325a170d3234313132323130323430325a30503132303006035504030c294d6963726f736f66742041757468656e7169636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d5e83955c20051b32d9762ae92b32c2ee2d51f432510b39d99146bd2e58597f076e2733998c35e6c12dbc371db23695672ccb96e90fefe62d43f8726f58e36fa2538ce6cea4b9b4e9c89551bb2fcdc75249f905e2dfca4a7ef71b143c556021bdd3b0a9e430d788d6d34b97fa92976682de3ff671f4b44ced28df1116d4adc210203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e7169636f646528746d2920526f6f7420417574686f72697479300d06092a864886f70d01010b050003818100350508f03b0412fe62cc9015d8ae639e04f0ec35e367050d2afa166d605a7837ea1642b94fbc73abd910ec8879c41ebc790b34a95c8c2669b495bc07ab3b776654938106ec8edeee971c310b62d68e6376c078dadc463dccbf4e5293ac8a0741e60122da75eca5bfc8984b5edc81aca56b52201f0abce1959bf7823a904ae1a8 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rundll32.exesvchost.exepid process 5008 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe 3020 svchost.exe 3020 svchost.exe 5008 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe 3020 svchost.exe 3020 svchost.exe 3020 svchost.exe 3020 svchost.exe 3020 svchost.exe 3020 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 5008 rundll32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
rundll32.exerundll32.exepid process 3680 rundll32.exe 5008 rundll32.exe 5008 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exerundll32.exesvchost.exedescription pid process target process PID 632 wrote to memory of 5008 632 9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe rundll32.exe PID 632 wrote to memory of 5008 632 9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe rundll32.exe PID 632 wrote to memory of 5008 632 9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe rundll32.exe PID 5008 wrote to memory of 3680 5008 rundll32.exe rundll32.exe PID 5008 wrote to memory of 3680 5008 rundll32.exe rundll32.exe PID 5008 wrote to memory of 3680 5008 rundll32.exe rundll32.exe PID 5008 wrote to memory of 4388 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 4388 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 4388 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 3308 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 3308 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 3308 5008 rundll32.exe schtasks.exe PID 3020 wrote to memory of 3612 3020 svchost.exe rundll32.exe PID 3020 wrote to memory of 3612 3020 svchost.exe rundll32.exe PID 3020 wrote to memory of 3612 3020 svchost.exe rundll32.exe PID 5008 wrote to memory of 3616 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 3616 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 3616 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 5116 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 5116 5008 rundll32.exe schtasks.exe PID 5008 wrote to memory of 5116 5008 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe"C:\Users\Admin\AppData\Local\Temp\9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5008 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 142183⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3680 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4388
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3308
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3616
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:5116
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4240
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 5282⤵
- Program crash
PID:1732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 632 -ip 6321⤵PID:1312
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2656
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\reference assemblies\microsoft\reviews_sent.dll",jE89Sg==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\reviews_sent.dllFilesize
774KB
MD5e3002d9c74feb9cb55d69c9c83f06a9d
SHA127eaadd05428c12e86dca7c62b5eb6a6ef89cea8
SHA256b209bfe87e49231e87db58fb3570a9fe5818633f77eb68c4a6e45f870f99d61c
SHA512a822a14a612903a9ecc75831c34a6616718d0df1f68f8eb1750aedd974fcdfe8b60d4e5457ebf005a300c377634ee3224efb7c0de452e59c15bd29f5e9fd8583
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\reviews_sent.dllFilesize
774KB
MD5e3002d9c74feb9cb55d69c9c83f06a9d
SHA127eaadd05428c12e86dca7c62b5eb6a6ef89cea8
SHA256b209bfe87e49231e87db58fb3570a9fe5818633f77eb68c4a6e45f870f99d61c
SHA512a822a14a612903a9ecc75831c34a6616718d0df1f68f8eb1750aedd974fcdfe8b60d4e5457ebf005a300c377634ee3224efb7c0de452e59c15bd29f5e9fd8583
-
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe.xmlFilesize
849B
MD5cff245d69fe04eec05ce3601d77467b6
SHA1d09b1d953eea98ef0b0fcec5936fc806940f7717
SHA25640d6a0b80770bf41ddc0a3b3607ac53eb82d0f90675e5a595a18cd3f8bdf3d94
SHA5124615affbbc7163076cbc82a8e65cd5d168d1411a028b47bddd0ec5219e08037304de1d14ae1fa659909760150edf5401e698c9f6252674eb4e84dec341aa3666
-
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
820B
MD5a8664f5906d9060a0a87bc01e35179bb
SHA11bbbc9f10431d2941805907a8a6d4009f4e2938c
SHA256a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309
SHA512389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f
-
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy.xmlFilesize
2KB
MD52ff808c347a1bd28f3df3bc8873d73d6
SHA1afc3b29446a1e5ea641db1c5f1521b2f5c814581
SHA2566d6bb6749a28b69f42fede441d1c84dbff9c3f69938e637eee4fc260d0c92301
SHA51233c2861f5b1f0b87be1f7a5d59313d5977d284ba70a126541f2daed6297ac35cf11c4f43107148f05da7e4748f49b3e99335d4c2164ba04e0a4f17830afd1706
-
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Tuririiowh.tmpFilesize
3.5MB
MD56daaefe0c11dc82bcff09e780c921ba5
SHA1ec01ba578b3a965f7f64787f9c719babd7c4829f
SHA2562e662f0a9b8d309c2d20e191803905fa02b48e140b91c063fd2a60480dd66b22
SHA5120d465f8fdb45a4f2280913f6c3f34a4ae1e2841c1b81f0b782d5dfba5e4aea0b34bc262fac4cbd22ce3d52d3cde8d125593cae13ee490667ae6784977737f7a3
-
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\device.pngFilesize
43KB
MD57051c15362866f6411ff4906403f2c54
SHA1768b062b336675ff9a2b9fcff0ce1057234a5399
SHA256609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a
SHA5125fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08
-
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\guest.pngFilesize
5KB
MD5d7ee4543371744836d520e0ce24a9ee6
SHA1a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA25698817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808
-
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmpFilesize
774KB
MD5d5e88f35e214f2dff51a7d494316bac2
SHA16306dfa71c4e32dede210631cf90732693c0afcf
SHA256f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4
SHA512ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d
-
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmpFilesize
774KB
MD5d5e88f35e214f2dff51a7d494316bac2
SHA16306dfa71c4e32dede210631cf90732693c0afcf
SHA256f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4
SHA512ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d
-
\??\c:\program files (x86)\reference assemblies\microsoft\reviews_sent.dllFilesize
774KB
MD5e3002d9c74feb9cb55d69c9c83f06a9d
SHA127eaadd05428c12e86dca7c62b5eb6a6ef89cea8
SHA256b209bfe87e49231e87db58fb3570a9fe5818633f77eb68c4a6e45f870f99d61c
SHA512a822a14a612903a9ecc75831c34a6616718d0df1f68f8eb1750aedd974fcdfe8b60d4e5457ebf005a300c377634ee3224efb7c0de452e59c15bd29f5e9fd8583
-
memory/632-138-0x0000000000400000-0x000000000071E000-memory.dmpFilesize
3.1MB
-
memory/632-132-0x00000000024CA000-0x00000000025AC000-memory.dmpFilesize
904KB
-
memory/632-134-0x0000000000400000-0x000000000071E000-memory.dmpFilesize
3.1MB
-
memory/632-133-0x0000000002620000-0x0000000002745000-memory.dmpFilesize
1.1MB
-
memory/3020-158-0x0000000003C00000-0x0000000004761000-memory.dmpFilesize
11.4MB
-
memory/3020-166-0x0000000003C00000-0x0000000004761000-memory.dmpFilesize
11.4MB
-
memory/3020-173-0x0000000003C00000-0x0000000004761000-memory.dmpFilesize
11.4MB
-
memory/3308-154-0x0000000000000000-mapping.dmp
-
memory/3612-164-0x0000000000000000-mapping.dmp
-
memory/3612-168-0x0000000005200000-0x0000000005D61000-memory.dmpFilesize
11.4MB
-
memory/3612-169-0x0000000005200000-0x0000000005D61000-memory.dmpFilesize
11.4MB
-
memory/3616-167-0x0000000000000000-mapping.dmp
-
memory/3680-151-0x0000020852DB0000-0x0000020853054000-memory.dmpFilesize
2.6MB
-
memory/3680-150-0x00000000008A0000-0x0000000000B32000-memory.dmpFilesize
2.6MB
-
memory/3680-149-0x0000020854670000-0x00000208547B0000-memory.dmpFilesize
1.2MB
-
memory/3680-148-0x0000020854670000-0x00000208547B0000-memory.dmpFilesize
1.2MB
-
memory/3680-147-0x00007FF69F7E6890-mapping.dmp
-
memory/3936-172-0x0000000000000000-mapping.dmp
-
memory/4240-171-0x0000000000000000-mapping.dmp
-
memory/4388-152-0x0000000000000000-mapping.dmp
-
memory/5008-153-0x0000000005620000-0x0000000006181000-memory.dmpFilesize
11.4MB
-
memory/5008-146-0x0000000004C80000-0x0000000004DC0000-memory.dmpFilesize
1.2MB
-
memory/5008-145-0x0000000004C80000-0x0000000004DC0000-memory.dmpFilesize
1.2MB
-
memory/5008-144-0x0000000004C80000-0x0000000004DC0000-memory.dmpFilesize
1.2MB
-
memory/5008-143-0x0000000004C80000-0x0000000004DC0000-memory.dmpFilesize
1.2MB
-
memory/5008-141-0x0000000004C80000-0x0000000004DC0000-memory.dmpFilesize
1.2MB
-
memory/5008-142-0x0000000004C80000-0x0000000004DC0000-memory.dmpFilesize
1.2MB
-
memory/5008-140-0x0000000005620000-0x0000000006181000-memory.dmpFilesize
11.4MB
-
memory/5008-139-0x0000000005620000-0x0000000006181000-memory.dmpFilesize
11.4MB
-
memory/5008-135-0x0000000000000000-mapping.dmp
-
memory/5116-170-0x0000000000000000-mapping.dmp