9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe
Size

1.0MB
MD5

be0a43bf4b9676686ecaaef74015bf60
SHA1

03449f9f7532f7d69890717d9e39bada9170a72b
SHA256

9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7
SHA512

8af63dab5f4164ec8a5f946b53b4b14e1b268caaf6f5df9724add30c1dd030e9b9944794e3e3fe8bd10961b07332703fe51e3eed18b4067d0a239fae3934dd2e
SSDEEP

24576:xPFsSP/HfxreDSs/NaGCvYJq6FB7zGP0UsGgSaA:xtxP/HjyJbg6FB7zGP0H

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

7 5008 rundll32.exe
8 5008 rundll32.exe
44 5008 rundll32.exe
46 5008 rundll32.exe

flow	pid	process
7	5008	rundll32.exe
8	5008	rundll32.exe
44	5008	rundll32.exe
46	5008	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\Parameters\ServiceDll = "C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\reviews_sent.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

5008 rundll32.exe
3020 svchost.exe
3612 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 5008 set thread context of 3680 5008 rundll32.exe rundll32.exe

description	pid	process	target process
PID 5008 set thread context of 3680	5008	rundll32.exe	rundll32.exe

Drops file in Program Files directory 35 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\reviews_sent.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Stamp.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\sendforsignature.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\share.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\tr.gif	rundll32.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1732 632 WerFault.exe 9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe

pid	pid_target	process	target process
1732	632	WerFault.exe	9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe

Checks processor information in registry 2 TTPs 60 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AE2744E51DE53C1DD15725F095696170945096D1	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AE2744E51DE53C1DD15725F095696170945096D1\Blob = 030000000100000014000000ae2744e51de53c1dd15725f095696170945096d120000000010000006a02000030820266308201cfa00302010202082bb420e23abd7a79300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e7169636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313132333130323430325a170d3234313132323130323430325a30503132303006035504030c294d6963726f736f66742041757468656e7169636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d5e83955c20051b32d9762ae92b32c2ee2d51f432510b39d99146bd2e58597f076e2733998c35e6c12dbc371db23695672ccb96e90fefe62d43f8726f58e36fa2538ce6cea4b9b4e9c89551bb2fcdc75249f905e2dfca4a7ef71b143c556021bdd3b0a9e430d788d6d34b97fa92976682de3ff671f4b44ced28df1116d4adc210203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e7169636f646528746d2920526f6f7420417574686f72697479300d06092a864886f70d01010b050003818100350508f03b0412fe62cc9015d8ae639e04f0ec35e367050d2afa166d605a7837ea1642b94fbc73abd910ec8879c41ebc790b34a95c8c2669b495bc07ab3b776654938106ec8edeee971c310b62d68e6376c078dadc463dccbf4e5293ac8a0741e60122da75eca5bfc8984b5edc81aca56b52201f0abce1959bf7823a904ae1a8	rundll32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rundll32.exesvchost.exe

pid	process
5008	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe
3020	svchost.exe
3020	svchost.exe
5008	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 5008 rundll32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3680 rundll32.exe
5008 rundll32.exe
5008 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	5008	rundll32.exe

pid	process
3680	rundll32.exe
5008	rundll32.exe
5008	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exerundll32.exesvchost.exe

description	pid	process	target process
PID 632 wrote to memory of 5008	632	9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe	rundll32.exe
PID 632 wrote to memory of 5008	632	9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe	rundll32.exe
PID 632 wrote to memory of 5008	632	9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe	rundll32.exe
PID 5008 wrote to memory of 3680	5008	rundll32.exe	rundll32.exe
PID 5008 wrote to memory of 3680	5008	rundll32.exe	rundll32.exe
PID 5008 wrote to memory of 3680	5008	rundll32.exe	rundll32.exe
PID 5008 wrote to memory of 4388	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 4388	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 4388	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 3308	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 3308	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 3308	5008	rundll32.exe	schtasks.exe
PID 3020 wrote to memory of 3612	3020	svchost.exe	rundll32.exe
PID 3020 wrote to memory of 3612	3020	svchost.exe	rundll32.exe
PID 3020 wrote to memory of 3612	3020	svchost.exe	rundll32.exe
PID 5008 wrote to memory of 3616	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 3616	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 3616	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 5116	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 5116	5008	rundll32.exe	schtasks.exe
PID 5008 wrote to memory of 5116	5008	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe
"C:\Users\Admin\AppData\Local\Temp\9216526157ed184c1f035f8f7b487bc6561eb4542b85531f94f60b2fe09349c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14218
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3308

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3616

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5116

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4240

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 528
2⤵
- Program crash
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 632 -ip 632
1⤵
PID:1312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\reference assemblies\microsoft\reviews_sent.dll",jE89Sg==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\reviews_sent.dll
Filesize
774KB

MD5
e3002d9c74feb9cb55d69c9c83f06a9d

SHA1
27eaadd05428c12e86dca7c62b5eb6a6ef89cea8

SHA256
b209bfe87e49231e87db58fb3570a9fe5818633f77eb68c4a6e45f870f99d61c

SHA512
a822a14a612903a9ecc75831c34a6616718d0df1f68f8eb1750aedd974fcdfe8b60d4e5457ebf005a300c377634ee3224efb7c0de452e59c15bd29f5e9fd8583

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\reviews_sent.dll
Filesize
774KB

MD5
e3002d9c74feb9cb55d69c9c83f06a9d

SHA1
27eaadd05428c12e86dca7c62b5eb6a6ef89cea8

SHA256
b209bfe87e49231e87db58fb3570a9fe5818633f77eb68c4a6e45f870f99d61c

SHA512
a822a14a612903a9ecc75831c34a6616718d0df1f68f8eb1750aedd974fcdfe8b60d4e5457ebf005a300c377634ee3224efb7c0de452e59c15bd29f5e9fd8583

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe.xml
Filesize
849B

MD5
cff245d69fe04eec05ce3601d77467b6

SHA1
d09b1d953eea98ef0b0fcec5936fc806940f7717

SHA256
40d6a0b80770bf41ddc0a3b3607ac53eb82d0f90675e5a595a18cd3f8bdf3d94

SHA512
4615affbbc7163076cbc82a8e65cd5d168d1411a028b47bddd0ec5219e08037304de1d14ae1fa659909760150edf5401e698c9f6252674eb4e84dec341aa3666

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
820B

MD5
a8664f5906d9060a0a87bc01e35179bb

SHA1
1bbbc9f10431d2941805907a8a6d4009f4e2938c

SHA256
a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309

SHA512
389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
2KB

MD5
2ff808c347a1bd28f3df3bc8873d73d6

SHA1
afc3b29446a1e5ea641db1c5f1521b2f5c814581

SHA256
6d6bb6749a28b69f42fede441d1c84dbff9c3f69938e637eee4fc260d0c92301

SHA512
33c2861f5b1f0b87be1f7a5d59313d5977d284ba70a126541f2daed6297ac35cf11c4f43107148f05da7e4748f49b3e99335d4c2164ba04e0a4f17830afd1706

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\Tuririiowh.tmp
Filesize
3.5MB

MD5
6daaefe0c11dc82bcff09e780c921ba5

SHA1
ec01ba578b3a965f7f64787f9c719babd7c4829f

SHA256
2e662f0a9b8d309c2d20e191803905fa02b48e140b91c063fd2a60480dd66b22

SHA512
0d465f8fdb45a4f2280913f6c3f34a4ae1e2841c1b81f0b782d5dfba5e4aea0b34bc262fac4cbd22ce3d52d3cde8d125593cae13ee490667ae6784977737f7a3

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\device.png
Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\ProgramData\{089124D9-86A1-7079-846D-B6413FD76F79}\guest.png
Filesize
5KB

MD5
d7ee4543371744836d520e0ce24a9ee6

SHA1
a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

SHA256
98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

SHA512
e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
Filesize
774KB

MD5
d5e88f35e214f2dff51a7d494316bac2

SHA1
6306dfa71c4e32dede210631cf90732693c0afcf

SHA256
f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

SHA512
ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

Download Submit
\??\c:\program files (x86)\reference assemblies\microsoft\reviews_sent.dll
Filesize
774KB

MD5
e3002d9c74feb9cb55d69c9c83f06a9d

SHA1
27eaadd05428c12e86dca7c62b5eb6a6ef89cea8

SHA256
b209bfe87e49231e87db58fb3570a9fe5818633f77eb68c4a6e45f870f99d61c

SHA512
a822a14a612903a9ecc75831c34a6616718d0df1f68f8eb1750aedd974fcdfe8b60d4e5457ebf005a300c377634ee3224efb7c0de452e59c15bd29f5e9fd8583

Download Submit
memory/632-138-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/632-132-0x00000000024CA000-0x00000000025AC000-memory.dmp

Filesize
904KB

Download
memory/632-134-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/632-133-0x0000000002620000-0x0000000002745000-memory.dmp

Filesize
1.1MB

Download
memory/3020-158-0x0000000003C00000-0x0000000004761000-memory.dmp

Filesize
11.4MB

Download
memory/3020-166-0x0000000003C00000-0x0000000004761000-memory.dmp

Filesize
11.4MB

Download
memory/3020-173-0x0000000003C00000-0x0000000004761000-memory.dmp

Filesize
11.4MB

Download
memory/3308-154-0x0000000000000000-mapping.dmp

Download
memory/3612-164-0x0000000000000000-mapping.dmp

Download
memory/3612-168-0x0000000005200000-0x0000000005D61000-memory.dmp

Filesize
11.4MB

Download
memory/3612-169-0x0000000005200000-0x0000000005D61000-memory.dmp

Filesize
11.4MB

Download
memory/3616-167-0x0000000000000000-mapping.dmp

Download
memory/3680-151-0x0000020852DB0000-0x0000020853054000-memory.dmp

Filesize
2.6MB

Download
memory/3680-150-0x00000000008A0000-0x0000000000B32000-memory.dmp

Filesize
2.6MB

Download
memory/3680-149-0x0000020854670000-0x00000208547B0000-memory.dmp

Filesize
1.2MB

Download
memory/3680-148-0x0000020854670000-0x00000208547B0000-memory.dmp

Filesize
1.2MB

Download
memory/3680-147-0x00007FF69F7E6890-mapping.dmp

Download
memory/3936-172-0x0000000000000000-mapping.dmp

Download
memory/4240-171-0x0000000000000000-mapping.dmp

Download
memory/4388-152-0x0000000000000000-mapping.dmp

Download
memory/5008-153-0x0000000005620000-0x0000000006181000-memory.dmp

Filesize
11.4MB

Download
memory/5008-146-0x0000000004C80000-0x0000000004DC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-145-0x0000000004C80000-0x0000000004DC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-144-0x0000000004C80000-0x0000000004DC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-143-0x0000000004C80000-0x0000000004DC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-141-0x0000000004C80000-0x0000000004DC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-142-0x0000000004C80000-0x0000000004DC0000-memory.dmp

Filesize
1.2MB

Download
memory/5008-140-0x0000000005620000-0x0000000006181000-memory.dmp

Filesize
11.4MB

Download
memory/5008-139-0x0000000005620000-0x0000000006181000-memory.dmp

Filesize
11.4MB

Download
memory/5008-135-0x0000000000000000-mapping.dmp

Download
memory/5116-170-0x0000000000000000-mapping.dmp

Download