Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2022 21:30
Static task
static1
Behavioral task
behavioral1
Sample
054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe
Resource
win10v2004-20220812-en
General
-
Target
054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe
-
Size
1004KB
-
MD5
1a8e406d5c8ee2782bef58cedc387bca
-
SHA1
d8f8eb4a2245e0688d031f511a04c0d219f94356
-
SHA256
054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db
-
SHA512
72f216529ec432d525e1843cfaf77f0109a37e429042d0f19ea2acd3ecacdd5728d8410de2c76c1e20b39ee060f693ad1827dce83f75deb043692d9d06b8b6a9
-
SSDEEP
24576:xIx3Z40aPvEYPgLOI8Z1R1ZEvyTA+7DPKMbUAbkznKYbXF:KJuvrg6I8dhA+3hUYkrJX
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 12 3016 rundll32.exe 15 3016 rundll32.exe 92 3016 rundll32.exe 94 3016 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_new\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons_retina_thumb_new.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_new\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 3016 rundll32.exe 3192 svchost.exe 3952 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3016 set thread context of 3540 3016 rundll32.exe rundll32.exe -
Drops file in Program Files directory 47 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\eBook.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.sfx rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\open_original_form.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\RTC.der rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\widevinecdmadapter.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_highcontrast.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 728 5028 WerFault.exe 054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\268A374B716F89DC7288151E71599DD7161B843F rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\268A374B716F89DC7288151E71599DD7161B843F\Blob = 030000000100000014000000268a374b716f89dc7288151e71599dd7161b843f20000000010000006e0200003082026a308201d3a0030201020208663daf275d47fb37300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7265204365626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313231383232333232305a170d3234313231373232333232305a305a3122302006035504030c1942616c74696d6f7265204365626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100a2f2757ba7052ca0dae8b6f3d454199ec4f19130ee012811718a4aefef3655593a98211ff4895b6c9a7d9d4a71f3e0f1ace6f9eecab392f2948db1f26187e2b4bcb23d00a44e326d12c3ea516278a3ca1721772867d0cce320c278fa8a8b73a802dce8794d451b7613f2d166778bced62c6b11c50a67bf560a56578b2a46763d0203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7265204365626572547275737420526f6f74300d06092a864886f70d01010b05000381810054f55bcbe40c6a6c72c281503e8549d5bdc5ce235d367ae6829fc05d5e3a7451c759fa45a8c16b89007b2b4b912441382794e6a53e539b9698af826ef534cb2a015d802707537fb362b75019fc3db41747c641f80777fb11067f6bbf3db5ca66edea39f6de863691f815f33f5042b98ab724fc61bb92337d3fa4f1ffda963af8 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
svchost.exerundll32.exepid process 3192 svchost.exe 3192 svchost.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3016 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3540 rundll32.exe 3016 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exerundll32.exesvchost.exedescription pid process target process PID 5028 wrote to memory of 3016 5028 054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe rundll32.exe PID 5028 wrote to memory of 3016 5028 054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe rundll32.exe PID 5028 wrote to memory of 3016 5028 054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe rundll32.exe PID 3016 wrote to memory of 3540 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3540 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3540 3016 rundll32.exe rundll32.exe PID 3192 wrote to memory of 3952 3192 svchost.exe rundll32.exe PID 3192 wrote to memory of 3952 3192 svchost.exe rundll32.exe PID 3192 wrote to memory of 3952 3192 svchost.exe rundll32.exe PID 3016 wrote to memory of 5028 3016 rundll32.exe schtasks.exe PID 3016 wrote to memory of 5028 3016 rundll32.exe schtasks.exe PID 3016 wrote to memory of 5028 3016 rundll32.exe schtasks.exe PID 3016 wrote to memory of 4092 3016 rundll32.exe schtasks.exe PID 3016 wrote to memory of 4092 3016 rundll32.exe schtasks.exe PID 3016 wrote to memory of 4092 3016 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe"C:\Users\Admin\AppData\Local\Temp\054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3016 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239583⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3540 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:5028
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 5362⤵
- Program crash
PID:728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5028 -ip 50281⤵PID:1168
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3536
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_new.dll",XVILWEdMM3M=2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dllFilesize
726KB
MD58d4d06d0653628b0de3c4b99f1270ad5
SHA15fb39c8f6f4c0da8020393331777ee7382fd2afa
SHA256195442d422009dc8a44303f27742419280d6f8f4443dd4f7c04b6faf536718b4
SHA5120cee06df640d180ffbb40fce9d722bd92e09da7f9a9e2314ec12956921a9e03b1ecbe8d98d3872e5002944797591792f8f907440491e13d35da4ee98120e35cd
-
C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dllFilesize
726KB
MD58d4d06d0653628b0de3c4b99f1270ad5
SHA15fb39c8f6f4c0da8020393331777ee7382fd2afa
SHA256195442d422009dc8a44303f27742419280d6f8f4443dd4f7c04b6faf536718b4
SHA5120cee06df640d180ffbb40fce9d722bd92e09da7f9a9e2314ec12956921a9e03b1ecbe8d98d3872e5002944797591792f8f907440491e13d35da4ee98120e35cd
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Active.GRLFilesize
14KB
MD5fffde3df0d91311b7fe3f9bc8642a9ec
SHA150987906817aab51e2cc29fbce47ac5f0936a44e
SHA256bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc
SHA5125e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.Proof.Culture.msi.16.en-us.xmlFilesize
25KB
MD5c61439f60c39268b94a18e5d51f0b26e
SHA14ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a
SHA25606bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213
SHA51288310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmmui.msi.16.en-us.xmlFilesize
10KB
MD53ef69b2c0f15e6b97fca1141bc9beb9a
SHA1421916704e31978eb77421161bb170003a83c1a2
SHA256f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc
SHA512cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiPT0000.001Filesize
64KB
MD508c1446a011937f5608e5f2448443304
SHA153e7291e9b33e46a17d9514a6005302e79a36407
SHA256c10595f1ade2f1adced14a578b437e6958adf631c01a4c167b14b6904eaf2680
SHA512a7a339940faba59e5a07b715ae39df9de39a4e69913d8d347cd696709a3191483537d1c011a1bea2d5faa222bf768e33dbde5791d04458b7e14a3db494eb6b07
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
843B
MD572d7dc9f57f3487a99e2f05c06274c28
SHA1ba789a0e8174327b30443f5b7131228f4ad40cf0
SHA256dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f
SHA512aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe.xmlFilesize
840B
MD52528a361d2ecf923788b3f69833696ec
SHA138980657507f08069bc9a05ef8ec17da33410c30
SHA2567b9699e0d489996eaeb9620d5e5b15cb5f523144a8dbf2a73412329711bd6b7c
SHA512532f760ba48c2051537edea47506efea1ea8204e51dc61173692da9eab58b5a0bd934b7fa2ce07798e9d468acede6a4926b234dcef3ee0685676505079681202
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
829B
MD5dbe1655cf17f98afe5ba65a18f3b178b
SHA11025583f1f3a833449a82c1f2e4b2fc2be18f0c3
SHA256edc122dcf531bff5e772b1772cddc9a6d6e1166907c2c9e11d9125feed5f10a1
SHA51254a180fbf0257dc47d1a432fcb4f1c6aa8e2d1950a1d68d4982edfa9e5816e2420e72f181cbdda54287c9d52f41773c29a9ca698c10854c040debbc605b46abb
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftLync2013Win32.xmlFilesize
2KB
MD5fa5b7d129ddfd18b73d3a4a0b0fb4c87
SHA1b5e32bd5772cfb50174451d4818670d32088ff85
SHA2564452719f5b16e474e6ae407fb56f7e68f0308920938d749a4d46cded948c116d
SHA51299fd882c7f9a333143367e09590b9c71c9aa3957205a2dd26097ae88a54265d7272968ec99c755ef6d7741ff8e690b53492321b42129c990c870beb6322eb034
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5e27187607c97f03ff80dedf9a451fded
SHA1d7f14f9ccbeb98477175dea13b2e374a6131498d
SHA2567aac12ce0e0b5c03113531e7c58092e07bab7f81236380eace11cce50e05adab
SHA512ddaf66c32a16bfcca942c1b1a6daa50522eb2726538dc9da08fdc965f6ae1521e527719d7f166f2fa38edb291249502768af3e6bd9799fee126f7edef9226d30
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_.icoFilesize
59KB
MD5a161b3f9fd62c3931fbd79512810cffa
SHA1a63f1d8945b983356b66819b3aa5b0bd409995e4
SHA256d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7
SHA512f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.x-none.dat.catFilesize
574KB
MD513e2674d1e5118dc8547264aa2b8654b
SHA160b0f7065882e839d6a80f1263f9f60a8efa26bd
SHA256320ae5c50698f4553758c71c37135cf390c06f355cfb3b8cc18dae85ead16944
SHA512b399d85720844dbcb7220b05a186cd0cf46e3307c8afbebbbdcd132be5aa9f936482ba5743764acd12df256a2b2249a0b06ef7365286c66912db02634cd18bda
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user-48.pngFilesize
617B
MD5e738274439f0bcf555425a00af9a2f75
SHA1cf0d5425bda34e865bc73601ac299d425d9064ef
SHA256191e237f5a862cdbafa4562bebf080680a051d2c07b4f256c9b856f10d63d010
SHA5122c2c1ccb38d14150dcb89249c3a2ee995e9467fb99ea20cc4819c4a683b50be0753b04264048084ae2611399b56736ca50d7a94dd98bd3dd055f430471188c8d
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.app.json.bkFilesize
95KB
MD52d87169429f9ee44c1ed0a6f32b57af4
SHA194570d47bbaad857b4a9e192f7b8d01e29e05520
SHA2563a4b950f26a8783c90a26ecdbf66e4b780d3b760e921fd69961f4b469e48d319
SHA51290def0773e7d83410b814d55af12e8b40dba81c5af8e598359818c0c456b29e6db7c83e2284628c7a1831e0121ebda82f4759b98a1ffd2a493cc99dd83633f4f
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_new.dllFilesize
726KB
MD58d4d06d0653628b0de3c4b99f1270ad5
SHA15fb39c8f6f4c0da8020393331777ee7382fd2afa
SHA256195442d422009dc8a44303f27742419280d6f8f4443dd4f7c04b6faf536718b4
SHA5120cee06df640d180ffbb40fce9d722bd92e09da7f9a9e2314ec12956921a9e03b1ecbe8d98d3872e5002944797591792f8f907440491e13d35da4ee98120e35cd
-
memory/3016-135-0x0000000000000000-mapping.dmp
-
memory/3016-144-0x0000000004960000-0x0000000004AA0000-memory.dmpFilesize
1.2MB
-
memory/3016-152-0x0000000004170000-0x0000000004895000-memory.dmpFilesize
7.1MB
-
memory/3016-139-0x0000000004170000-0x0000000004895000-memory.dmpFilesize
7.1MB
-
memory/3016-141-0x0000000004960000-0x0000000004AA0000-memory.dmpFilesize
1.2MB
-
memory/3016-140-0x0000000004170000-0x0000000004895000-memory.dmpFilesize
7.1MB
-
memory/3016-146-0x0000000004960000-0x0000000004AA0000-memory.dmpFilesize
1.2MB
-
memory/3016-142-0x0000000004960000-0x0000000004AA0000-memory.dmpFilesize
1.2MB
-
memory/3016-143-0x0000000004960000-0x0000000004AA0000-memory.dmpFilesize
1.2MB
-
memory/3016-145-0x0000000004960000-0x0000000004AA0000-memory.dmpFilesize
1.2MB
-
memory/3192-176-0x0000000003DE0000-0x0000000004505000-memory.dmpFilesize
7.1MB
-
memory/3192-156-0x0000000003DE0000-0x0000000004505000-memory.dmpFilesize
7.1MB
-
memory/3192-169-0x0000000003DE0000-0x0000000004505000-memory.dmpFilesize
7.1MB
-
memory/3540-149-0x0000000000630000-0x0000000000849000-memory.dmpFilesize
2.1MB
-
memory/3540-150-0x00000160822B0000-0x00000160823F0000-memory.dmpFilesize
1.2MB
-
memory/3540-148-0x00000160822B0000-0x00000160823F0000-memory.dmpFilesize
1.2MB
-
memory/3540-147-0x00007FF68FFA6890-mapping.dmp
-
memory/3540-151-0x00000160808D0000-0x0000016080AFA000-memory.dmpFilesize
2.2MB
-
memory/3952-170-0x0000000000000000-mapping.dmp
-
memory/3952-172-0x0000000004840000-0x0000000004F65000-memory.dmpFilesize
7.1MB
-
memory/3952-173-0x0000000004840000-0x0000000004F65000-memory.dmpFilesize
7.1MB
-
memory/4092-175-0x0000000000000000-mapping.dmp
-
memory/5028-134-0x0000000000400000-0x0000000000524000-memory.dmpFilesize
1.1MB
-
memory/5028-138-0x0000000000400000-0x0000000000524000-memory.dmpFilesize
1.1MB
-
memory/5028-133-0x0000000002440000-0x0000000002555000-memory.dmpFilesize
1.1MB
-
memory/5028-174-0x0000000000000000-mapping.dmp
-
memory/5028-132-0x0000000002365000-0x000000000243B000-memory.dmpFilesize
856KB