Analysis
-
max time kernel
178s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 10:22
Static task
static1
Behavioral task
behavioral1
Sample
37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe
Resource
win10v2004-20220812-en
General
-
Target
37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe
-
Size
976KB
-
MD5
1dbe7af461980ec02bbae04c1b13674d
-
SHA1
a7baf5550dec8aa37b2f4943721bc50e899f9a43
-
SHA256
37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac
-
SHA512
84a520621fb9dd67ab70bf5b6e56bc0ce6996c7acfe0bbc192f16dbeae3074668e53523c6afa2acef959a73c8cb62567864190d6bde15a6121325fb86ac1d2c2
-
SSDEEP
24576:k3zQmVBd6rxValk+zItGUKP/T91448JLz1j:k3hPYKOUPrj785J
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 14 4812 rundll32.exe 16 4812 rundll32.exe 46 4812 rundll32.exe 50 4812 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\submission_history\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\submission_history.dll㰀" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\submission_history\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\submission_history.dll㸀" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\submission_history\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 4812 rundll32.exe 3280 svchost.exe 1168 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 4812 set thread context of 1688 4812 rundll32.exe rundll32.exe -
Drops file in Program Files directory 46 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\init.js rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\stopwords.ENU rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons.png rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Close2x.png rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\review_same_reviewers.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\submission_history.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Words.pdf rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\AiodLite.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Checkers.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\ViewerPS.dll rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\rss.gif rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons_highcontrast.png rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\editpdf.svg rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\review_browser.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png rundll32.exe File created C:\Program Files (x86)\MSBuild\Microsoft\DropboxStorage.api rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4780 4476 WerFault.exe 37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exerundll32.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CC38E0063D5C9DEFF109B119346705099ECCF69\Blob = 0300000001000000140000008cc38e0063d5c9deff109b119346705099eccf6920000000010000004b02000030820247308201b0a003020102020847e9b27f048a46bd300d06092a864886f70d01010b0500304f3115301306035504030c0c4953524720526f647420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3230313132363131323533355a170d3234313132353131323533355a304f3115301306035504030c0c4953524720526f647420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cb451ac73ab20758e753b75349af4bf850d4b8a96e094d70d76a71faecdc5f2b99223dc6a90aac52d938bb4596b7cecd6277b94c745b9fae17ddf45b5db8a998bf07ecbb2c768e342769a08e77fd82b0e4576ac61169c12f846a8160dd7a8b05874073464b09715474453a8f6ce66405183d191ae7fa3345ac0895815b4cf28b0203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c4953524720526f6474205831300d06092a864886f70d01010b050003818100af0b9d4354b0166ce1f6679d9add7690eebc4667c6139cb930f2611666f0320517ea0ae53ecd26a6fa5079abdd01688bb2255884357b329cb09613b9b12fed5283068b0ed2101f47e336c413bc96f40456a8d87485c4ed4f1c44fa7176eb189e06cd8dd18c369d03d773e3d73a9c8b2220cef315f08634acb7b0b76968b32be0 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CC38E0063D5C9DEFF109B119346705099ECCF69 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
svchost.exerundll32.exepid process 3280 svchost.exe 3280 svchost.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 4812 rundll32.exe 3280 svchost.exe 3280 svchost.exe 3280 svchost.exe 3280 svchost.exe 3280 svchost.exe 3280 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4812 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1688 rundll32.exe 4812 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exerundll32.exesvchost.exedescription pid process target process PID 4476 wrote to memory of 4812 4476 37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe rundll32.exe PID 4476 wrote to memory of 4812 4476 37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe rundll32.exe PID 4476 wrote to memory of 4812 4476 37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe rundll32.exe PID 4812 wrote to memory of 1688 4812 rundll32.exe rundll32.exe PID 4812 wrote to memory of 1688 4812 rundll32.exe rundll32.exe PID 4812 wrote to memory of 1688 4812 rundll32.exe rundll32.exe PID 3280 wrote to memory of 1168 3280 svchost.exe rundll32.exe PID 3280 wrote to memory of 1168 3280 svchost.exe rundll32.exe PID 3280 wrote to memory of 1168 3280 svchost.exe rundll32.exe PID 4812 wrote to memory of 1704 4812 rundll32.exe schtasks.exe PID 4812 wrote to memory of 1704 4812 rundll32.exe schtasks.exe PID 4812 wrote to memory of 1704 4812 rundll32.exe schtasks.exe PID 4812 wrote to memory of 2676 4812 rundll32.exe schtasks.exe PID 4812 wrote to memory of 2676 4812 rundll32.exe schtasks.exe PID 4812 wrote to memory of 2676 4812 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe"C:\Users\Admin\AppData\Local\Temp\37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4812 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 201553⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1704
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2676
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:756
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 4642⤵
- Program crash
PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4476 -ip 44761⤵PID:1320
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3484
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\submission_history.dll",XVoD2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MSBuild\Microsoft\submission_history.dllFilesize
767KB
MD5b7057e0498509d5206a6ea5f6b7878f6
SHA15ead92ad32d0850c77dfe55d8548faca4b02c059
SHA25602e8fdda112557050ca3cee6c443e09af4337fe77124b5f9c706c78f299b0af5
SHA5123b79372333c6ce9a55a6bae473415359e098ff06091d4bd02e71c7cb40f554c62eebf49693b4793418fd8448ed5c344ecd763365a34a31933a092283a14aa383
-
C:\Program Files (x86)\MSBuild\Microsoft\submission_history.dllFilesize
767KB
MD5b7057e0498509d5206a6ea5f6b7878f6
SHA15ead92ad32d0850c77dfe55d8548faca4b02c059
SHA25602e8fdda112557050ca3cee6c443e09af4337fe77124b5f9c706c78f299b0af5
SHA5123b79372333c6ce9a55a6bae473415359e098ff06091d4bd02e71c7cb40f554c62eebf49693b4793418fd8448ed5c344ecd763365a34a31933a092283a14aa383
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\Isduwyyttes.tmpFilesize
3.5MB
MD522055ec310512c232be6dbac25607c64
SHA151c5a3160c6dda87eee7105dc15fe2477679047c
SHA25604ead305195e02e9cbcf107cb7db5ebf9a01e9451db0d78d108f1f40fbd94865
SHA5120116712ecb6c12c854ed41320d855f497a263a91e134b6e59228fb775f9c171d4e52f3ea6967e5d047bc62d68e610c9d87337fbf6c25135fc4824244f5d5df2f
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xmlFilesize
2KB
MD5c8d6f0d26db52746e243b785c269cacd
SHA1b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1
SHA256d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21
SHA512c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\MicrosoftOffice2013BackupWin32.xmlFilesize
12KB
MD5879dbf8cded6ac59df3fb0f32aa9eec6
SHA1844be6baee27e23e5821491fc9532269b1143142
SHA2563e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687
SHA5122d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\MicrosoftOutlook2016CAWin64.xmlFilesize
1KB
MD54b6a6960b925c7bd5b83d8a4196e24e4
SHA1f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b
SHA2565f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0
SHA51221f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD5b92eea712a8a63a66e21156d66a5fcfc
SHA186f3274afee32518c49307c92b586ca67fbd98ae
SHA256d6ca1a7c439c5e1d33f71959740e9991c89152ff6f4c429c146d13f40a4b428e
SHA51294577d5a1b344af5862e9f0ed430cbae21f4d955604684faf57e236a6aeb03f0340816dc8b4d758f943e24e105d0dce420984b082621f6f57745ba758870464f
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\edbres00002.jrsFilesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\setup.iniFilesize
214B
MD5d8b2e1bfe12db863bdccdd49a5e1c8b5
SHA19c979907f03887b270d4e87b0cdd5377cff3692c
SHA25600b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301
SHA5123bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41
-
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.jsonFilesize
121B
MD56a54f657c1dbaa9695f572f9ee021921
SHA1f0f8b933b907476b37c64032225db701c9e665e6
SHA256296f68d7119893842d8b740edb3e0decf9d14eb5f0b62f806846251869cfa46d
SHA5125cce6d3f2650201e8f70bfd5f61bc8904ea61a457dd8dde3b255dd52d484084e80d0e163823cceb7238449a5e6589be0b265815c95e49bc6589706ea0167eb54
-
C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmpFilesize
767KB
MD5d8ca174a8f3f0c225429e1be1cb6d304
SHA10f2e738b1a35b6072e1d23894468e45fa7dee750
SHA2563d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e
SHA512dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527
-
C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmpFilesize
767KB
MD5d8ca174a8f3f0c225429e1be1cb6d304
SHA10f2e738b1a35b6072e1d23894468e45fa7dee750
SHA2563d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e
SHA512dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527
-
\??\c:\program files (x86)\msbuild\microsoft\submission_history.dllFilesize
767KB
MD5b7057e0498509d5206a6ea5f6b7878f6
SHA15ead92ad32d0850c77dfe55d8548faca4b02c059
SHA25602e8fdda112557050ca3cee6c443e09af4337fe77124b5f9c706c78f299b0af5
SHA5123b79372333c6ce9a55a6bae473415359e098ff06091d4bd02e71c7cb40f554c62eebf49693b4793418fd8448ed5c344ecd763365a34a31933a092283a14aa383
-
memory/756-171-0x0000000000000000-mapping.dmp
-
memory/1168-165-0x0000000000000000-mapping.dmp
-
memory/1168-167-0x00000000050E0000-0x0000000005C59000-memory.dmpFilesize
11.5MB
-
memory/1168-168-0x00000000050E0000-0x0000000005C59000-memory.dmpFilesize
11.5MB
-
memory/1688-152-0x0000026E1B070000-0x0000026E1B32C000-memory.dmpFilesize
2.7MB
-
memory/1688-151-0x0000000000D10000-0x0000000000FBB000-memory.dmpFilesize
2.7MB
-
memory/1688-147-0x00007FF6E97D6890-mapping.dmp
-
memory/1688-148-0x0000026E1CAD0000-0x0000026E1CC10000-memory.dmpFilesize
1.2MB
-
memory/1688-149-0x0000026E1CAD0000-0x0000026E1CC10000-memory.dmpFilesize
1.2MB
-
memory/1704-169-0x0000000000000000-mapping.dmp
-
memory/2676-170-0x0000000000000000-mapping.dmp
-
memory/3280-173-0x0000000004720000-0x0000000005299000-memory.dmpFilesize
11.5MB
-
memory/3280-157-0x0000000004720000-0x0000000005299000-memory.dmpFilesize
11.5MB
-
memory/4476-134-0x0000000000400000-0x0000000000BA6000-memory.dmpFilesize
7.6MB
-
memory/4476-138-0x0000000000400000-0x0000000000BA6000-memory.dmpFilesize
7.6MB
-
memory/4476-132-0x000000000298B000-0x0000000002A6A000-memory.dmpFilesize
892KB
-
memory/4476-133-0x0000000002B80000-0x0000000002CA0000-memory.dmpFilesize
1.1MB
-
memory/4812-139-0x0000000004A20000-0x0000000005599000-memory.dmpFilesize
11.5MB
-
memory/4812-141-0x0000000004400000-0x0000000004540000-memory.dmpFilesize
1.2MB
-
memory/4812-140-0x0000000004A20000-0x0000000005599000-memory.dmpFilesize
11.5MB
-
memory/4812-145-0x0000000004400000-0x0000000004540000-memory.dmpFilesize
1.2MB
-
memory/4812-142-0x0000000004400000-0x0000000004540000-memory.dmpFilesize
1.2MB
-
memory/4812-135-0x0000000000000000-mapping.dmp
-
memory/4812-150-0x0000000004479000-0x000000000447B000-memory.dmpFilesize
8KB
-
memory/4812-146-0x0000000004400000-0x0000000004540000-memory.dmpFilesize
1.2MB
-
memory/4812-153-0x0000000004A20000-0x0000000005599000-memory.dmpFilesize
11.5MB
-
memory/4812-143-0x0000000004400000-0x0000000004540000-memory.dmpFilesize
1.2MB
-
memory/4812-144-0x0000000004400000-0x0000000004540000-memory.dmpFilesize
1.2MB
-
memory/4884-172-0x0000000000000000-mapping.dmp