37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac

Analysis

max time kernel
178s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe
Size

976KB
MD5

1dbe7af461980ec02bbae04c1b13674d
SHA1

a7baf5550dec8aa37b2f4943721bc50e899f9a43
SHA256

37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac
SHA512

84a520621fb9dd67ab70bf5b6e56bc0ce6996c7acfe0bbc192f16dbeae3074668e53523c6afa2acef959a73c8cb62567864190d6bde15a6121325fb86ac1d2c2
SSDEEP

24576:k3zQmVBd6rxValk+zItGUKP/T91448JLz1j:k3hPYKOUPrj785J

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

14 4812 rundll32.exe
16 4812 rundll32.exe
46 4812 rundll32.exe
50 4812 rundll32.exe

flow	pid	process
14	4812	rundll32.exe
16	4812	rundll32.exe
46	4812	rundll32.exe
50	4812	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\submission_history\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\submission_history.dll㰀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\submission_history\Parameters\ServiceDll = "C:\\Program Files (x86)\\MSBuild\\Microsoft\\submission_history.dll㸀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\submission_history\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4812 rundll32.exe
3280 svchost.exe
1168 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4812	rundll32.exe
3280	svchost.exe
1168	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4812 set thread context of 1688 4812 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4812 set thread context of 1688	4812	rundll32.exe	rundll32.exe

Drops file in Program Files directory 46 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\init.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Close2x.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\submission_history.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Words.pdf	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ViewerPS.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4780 4476 WerFault.exe 37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe

pid	pid_target	process	target process
4780	4476	WerFault.exe	37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CC38E0063D5C9DEFF109B119346705099ECCF69\Blob = 0300000001000000140000008cc38e0063d5c9deff109b119346705099eccf6920000000010000004b02000030820247308201b0a003020102020847e9b27f048a46bd300d06092a864886f70d01010b0500304f3115301306035504030c0c4953524720526f647420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3230313132363131323533355a170d3234313132353131323533355a304f3115301306035504030c0c4953524720526f647420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cb451ac73ab20758e753b75349af4bf850d4b8a96e094d70d76a71faecdc5f2b99223dc6a90aac52d938bb4596b7cecd6277b94c745b9fae17ddf45b5db8a998bf07ecbb2c768e342769a08e77fd82b0e4576ac61169c12f846a8160dd7a8b05874073464b09715474453a8f6ce66405183d191ae7fa3345ac0895815b4cf28b0203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c4953524720526f6474205831300d06092a864886f70d01010b050003818100af0b9d4354b0166ce1f6679d9add7690eebc4667c6139cb930f2611666f0320517ea0ae53ecd26a6fa5079abdd01688bb2255884357b329cb09613b9b12fed5283068b0ed2101f47e336c413bc96f40456a8d87485c4ed4f1c44fa7176eb189e06cd8dd18c369d03d773e3d73a9c8b2220cef315f08634acb7b0b76968b32be0	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8CC38E0063D5C9DEFF109B119346705099ECCF69	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3280	svchost.exe
3280	svchost.exe
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
4812	rundll32.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4812 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1688 rundll32.exe
4812 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4812	rundll32.exe

pid	process
1688	rundll32.exe
4812	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4476 wrote to memory of 4812	4476	37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe	rundll32.exe
PID 4476 wrote to memory of 4812	4476	37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe	rundll32.exe
PID 4476 wrote to memory of 4812	4476	37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe	rundll32.exe
PID 4812 wrote to memory of 1688	4812	rundll32.exe	rundll32.exe
PID 4812 wrote to memory of 1688	4812	rundll32.exe	rundll32.exe
PID 4812 wrote to memory of 1688	4812	rundll32.exe	rundll32.exe
PID 3280 wrote to memory of 1168	3280	svchost.exe	rundll32.exe
PID 3280 wrote to memory of 1168	3280	svchost.exe	rundll32.exe
PID 3280 wrote to memory of 1168	3280	svchost.exe	rundll32.exe
PID 4812 wrote to memory of 1704	4812	rundll32.exe	schtasks.exe
PID 4812 wrote to memory of 1704	4812	rundll32.exe	schtasks.exe
PID 4812 wrote to memory of 1704	4812	rundll32.exe	schtasks.exe
PID 4812 wrote to memory of 2676	4812	rundll32.exe	schtasks.exe
PID 4812 wrote to memory of 2676	4812	rundll32.exe	schtasks.exe
PID 4812 wrote to memory of 2676	4812	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe
"C:\Users\Admin\AppData\Local\Temp\37df5b1b5483641ab05388424c5182722fc12f2a7b1e06093c06b2759bd291ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp",Worhdhqfpryr
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20155
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2676

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:756

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 464
2⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4476 -ip 4476
1⤵
PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\submission_history.dll",XVoD
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\submission_history.dll
Filesize
767KB

MD5
b7057e0498509d5206a6ea5f6b7878f6

SHA1
5ead92ad32d0850c77dfe55d8548faca4b02c059

SHA256
02e8fdda112557050ca3cee6c443e09af4337fe77124b5f9c706c78f299b0af5

SHA512
3b79372333c6ce9a55a6bae473415359e098ff06091d4bd02e71c7cb40f554c62eebf49693b4793418fd8448ed5c344ecd763365a34a31933a092283a14aa383

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\submission_history.dll
Filesize
767KB

MD5
b7057e0498509d5206a6ea5f6b7878f6

SHA1
5ead92ad32d0850c77dfe55d8548faca4b02c059

SHA256
02e8fdda112557050ca3cee6c443e09af4337fe77124b5f9c706c78f299b0af5

SHA512
3b79372333c6ce9a55a6bae473415359e098ff06091d4bd02e71c7cb40f554c62eebf49693b4793418fd8448ed5c344ecd763365a34a31933a092283a14aa383

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\Isduwyyttes.tmp
Filesize
3.5MB

MD5
22055ec310512c232be6dbac25607c64

SHA1
51c5a3160c6dda87eee7105dc15fe2477679047c

SHA256
04ead305195e02e9cbcf107cb7db5ebf9a01e9451db0d78d108f1f40fbd94865

SHA512
0116712ecb6c12c854ed41320d855f497a263a91e134b6e59228fb775f9c171d4e52f3ea6967e5d047bc62d68e610c9d87337fbf6c25135fc4824244f5d5df2f

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml
Filesize
2KB

MD5
c8d6f0d26db52746e243b785c269cacd

SHA1
b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1

SHA256
d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21

SHA512
c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\MicrosoftOffice2013BackupWin32.xml
Filesize
12KB

MD5
879dbf8cded6ac59df3fb0f32aa9eec6

SHA1
844be6baee27e23e5821491fc9532269b1143142

SHA256
3e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687

SHA512
2d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\MicrosoftOutlook2016CAWin64.xml
Filesize
1KB

MD5
4b6a6960b925c7bd5b83d8a4196e24e4

SHA1
f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b

SHA256
5f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0

SHA512
21f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
b92eea712a8a63a66e21156d66a5fcfc

SHA1
86f3274afee32518c49307c92b586ca67fbd98ae

SHA256
d6ca1a7c439c5e1d33f71959740e9991c89152ff6f4c429c146d13f40a4b428e

SHA512
94577d5a1b344af5862e9f0ed430cbae21f4d955604684faf57e236a6aeb03f0340816dc8b4d758f943e24e105d0dce420984b082621f6f57745ba758870464f

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\edbres00002.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\setup.ini
Filesize
214B

MD5
d8b2e1bfe12db863bdccdd49a5e1c8b5

SHA1
9c979907f03887b270d4e87b0cdd5377cff3692c

SHA256
00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301

SHA512
3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

Download Submit
C:\ProgramData\{705706C7-39A3-C04C-E09F-DA444D8B6F51}\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json
Filesize
121B

MD5
6a54f657c1dbaa9695f572f9ee021921

SHA1
f0f8b933b907476b37c64032225db701c9e665e6

SHA256
296f68d7119893842d8b740edb3e0decf9d14eb5f0b62f806846251869cfa46d

SHA512
5cce6d3f2650201e8f70bfd5f61bc8904ea61a457dd8dde3b255dd52d484084e80d0e163823cceb7238449a5e6589be0b265815c95e49bc6589706ea0167eb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp
Filesize
767KB

MD5
d8ca174a8f3f0c225429e1be1cb6d304

SHA1
0f2e738b1a35b6072e1d23894468e45fa7dee750

SHA256
3d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e

SHA512
dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tdryuqayh.tmp
Filesize
767KB

MD5
d8ca174a8f3f0c225429e1be1cb6d304

SHA1
0f2e738b1a35b6072e1d23894468e45fa7dee750

SHA256
3d63ad175a34e4c89ea6eca4a1161bb5dd514a5e58302707edc03473eb1f656e

SHA512
dbf999a9f0399b3cbf93484f2e665e3beb4de369dacf4678c7b7b3ff06f45c42879c544c2404d85b88fe3aaacf117a1e28ecb68ee7ea2553b736bad03619e527

Download Submit
\??\c:\program files (x86)\msbuild\microsoft\submission_history.dll
Filesize
767KB

MD5
b7057e0498509d5206a6ea5f6b7878f6

SHA1
5ead92ad32d0850c77dfe55d8548faca4b02c059

SHA256
02e8fdda112557050ca3cee6c443e09af4337fe77124b5f9c706c78f299b0af5

SHA512
3b79372333c6ce9a55a6bae473415359e098ff06091d4bd02e71c7cb40f554c62eebf49693b4793418fd8448ed5c344ecd763365a34a31933a092283a14aa383

Download Submit
memory/756-171-0x0000000000000000-mapping.dmp

Download
memory/1168-165-0x0000000000000000-mapping.dmp

Download
memory/1168-167-0x00000000050E0000-0x0000000005C59000-memory.dmp

Filesize
11.5MB

Download
memory/1168-168-0x00000000050E0000-0x0000000005C59000-memory.dmp

Filesize
11.5MB

Download
memory/1688-152-0x0000026E1B070000-0x0000026E1B32C000-memory.dmp

Filesize
2.7MB

Download
memory/1688-151-0x0000000000D10000-0x0000000000FBB000-memory.dmp

Filesize
2.7MB

Download
memory/1688-147-0x00007FF6E97D6890-mapping.dmp

Download
memory/1688-148-0x0000026E1CAD0000-0x0000026E1CC10000-memory.dmp

Filesize
1.2MB

Download
memory/1688-149-0x0000026E1CAD0000-0x0000026E1CC10000-memory.dmp

Filesize
1.2MB

Download
memory/1704-169-0x0000000000000000-mapping.dmp

Download
memory/2676-170-0x0000000000000000-mapping.dmp

Download
memory/3280-173-0x0000000004720000-0x0000000005299000-memory.dmp

Filesize
11.5MB

Download
memory/3280-157-0x0000000004720000-0x0000000005299000-memory.dmp

Filesize
11.5MB

Download
memory/4476-134-0x0000000000400000-0x0000000000BA6000-memory.dmp

Filesize
7.6MB

Download
memory/4476-138-0x0000000000400000-0x0000000000BA6000-memory.dmp

Filesize
7.6MB

Download
memory/4476-132-0x000000000298B000-0x0000000002A6A000-memory.dmp

Filesize
892KB

Download
memory/4476-133-0x0000000002B80000-0x0000000002CA0000-memory.dmp

Filesize
1.1MB

Download
memory/4812-139-0x0000000004A20000-0x0000000005599000-memory.dmp

Filesize
11.5MB

Download
memory/4812-141-0x0000000004400000-0x0000000004540000-memory.dmp

Filesize
1.2MB

Download
memory/4812-140-0x0000000004A20000-0x0000000005599000-memory.dmp

Filesize
11.5MB

Download
memory/4812-145-0x0000000004400000-0x0000000004540000-memory.dmp

Filesize
1.2MB

Download
memory/4812-142-0x0000000004400000-0x0000000004540000-memory.dmp

Filesize
1.2MB

Download
memory/4812-135-0x0000000000000000-mapping.dmp

Download
memory/4812-150-0x0000000004479000-0x000000000447B000-memory.dmp

Filesize
8KB

Download
memory/4812-146-0x0000000004400000-0x0000000004540000-memory.dmp

Filesize
1.2MB

Download
memory/4812-153-0x0000000004A20000-0x0000000005599000-memory.dmp

Filesize
11.5MB

Download
memory/4812-143-0x0000000004400000-0x0000000004540000-memory.dmp

Filesize
1.2MB

Download
memory/4812-144-0x0000000004400000-0x0000000004540000-memory.dmp

Filesize
1.2MB

Download
memory/4884-172-0x0000000000000000-mapping.dmp

Download