Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 03:10
Static task
static1
Behavioral task
behavioral1
Sample
63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe
Resource
win10v2004-20220812-en
General
-
Target
63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe
-
Size
1006KB
-
MD5
e234765ce130cccdd18b84c36d1396a9
-
SHA1
af6f1a721bd88574733879bb583da4e1a8c15c1f
-
SHA256
63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918
-
SHA512
29aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272
-
SSDEEP
24576:YZaRkxQ6gYZ3tPP2vHTH1INlLKJME/94LezAD3kYbXF:YkMVmHTVIvLKJMi9mezAD3zX
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 12 3460 rundll32.exe 89 3460 rundll32.exe 91 3460 rundll32.exe 100 3460 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\license.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\license..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\license.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 3460 rundll32.exe 2840 svchost.exe 2384 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3460 set thread context of 2360 3460 rundll32.exe rundll32.exe -
Drops file in Program Files directory 49 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\History.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml rundll32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\license..dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_ecc.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4912 4904 WerFault.exe 63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0F02FE3B6367A7E9E89BBD4F3DEE0155C46FF088\Blob = 0300000001000000140000000f02fe3b6367a7e9e89bbd4f3dee0155c46ff08820000000010000004b02000030820247308201b0a00302010202083d1b3cb8260a8285300d06092a864886f70d01010b0500304f3115301306035504030c0c4953524720526f6b7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3230313231393034313231375a170d3234313231383034313231375a304f3115301306035504030c0c4953524720526f6b7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c94f059a3c18e355e88a8e3c8b6bc43fb7c9ae97be414ba39b4197f43c42f2b9c5f2829b977b789bfb9f3538566e992eb2d2b4908de6217d5dafc3a2275249a81191805eb93f2d4aad86a8b053dbb369f004d94ad1467704f0557023658c24a9af356c643b0df2caffd887e0436042d961be1645cad34e66caf333f9275fb9b50203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c4953524720526f6b74205831300d06092a864886f70d01010b050003818100126609a25242601eaa8ff2468aceb73828809032fb06e10fdc3933095bab7e5bf36b19e318ff0a82579b12774b4be3e3cda866dba3536f7b88c8203d69bb8923ed4ac16c643d97ebf5d03ede89c7a4f78fe2a6d875faa805cd3c18acb67a7652373c81f6620280b95a28ec09c759e860301a479317bf80103a0534f986a0a04a rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0F02FE3B6367A7E9E89BBD4F3DEE0155C46FF088 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
svchost.exerundll32.exepid process 2840 svchost.exe 2840 svchost.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 3460 rundll32.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe 2840 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3460 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2360 rundll32.exe 3460 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exerundll32.exesvchost.exedescription pid process target process PID 4904 wrote to memory of 3460 4904 63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe rundll32.exe PID 4904 wrote to memory of 3460 4904 63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe rundll32.exe PID 4904 wrote to memory of 3460 4904 63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe rundll32.exe PID 3460 wrote to memory of 2360 3460 rundll32.exe rundll32.exe PID 3460 wrote to memory of 2360 3460 rundll32.exe rundll32.exe PID 3460 wrote to memory of 2360 3460 rundll32.exe rundll32.exe PID 2840 wrote to memory of 2384 2840 svchost.exe rundll32.exe PID 2840 wrote to memory of 2384 2840 svchost.exe rundll32.exe PID 2840 wrote to memory of 2384 2840 svchost.exe rundll32.exe PID 3460 wrote to memory of 3048 3460 rundll32.exe schtasks.exe PID 3460 wrote to memory of 3048 3460 rundll32.exe schtasks.exe PID 3460 wrote to memory of 3048 3460 rundll32.exe schtasks.exe PID 3460 wrote to memory of 1544 3460 rundll32.exe schtasks.exe PID 3460 wrote to memory of 1544 3460 rundll32.exe schtasks.exe PID 3460 wrote to memory of 1544 3460 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe"C:\Users\Admin\AppData\Local\Temp\63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3460 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239583⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2360 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3048
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 5362⤵
- Program crash
PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4904 -ip 49041⤵PID:2080
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3852
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\license..dll",WlQGTEo2cVk=2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\license..dllFilesize
726KB
MD566982d00be2fdcfe46bac9cacc6125d9
SHA190942c50a41f1545345f30812e9827d415414bb6
SHA256219939a37ab2cd4ced78a1a680dc0f8a4c48e75588f38f42fc37696ec4aa7d37
SHA512392608eb27f121e4ab0aa40a39c5f0012d47724e522c1d45fa9e5f8f5134750fcbb00057ea7eb7efc5115a5bdc8ffa3ed3cd27f5c64027f2ca9c267fc00fc73a
-
C:\Program Files (x86)\WindowsPowerShell\Modules\license..dllFilesize
726KB
MD566982d00be2fdcfe46bac9cacc6125d9
SHA190942c50a41f1545345f30812e9827d415414bb6
SHA256219939a37ab2cd4ced78a1a680dc0f8a4c48e75588f38f42fc37696ec4aa7d37
SHA512392608eb27f121e4ab0aa40a39c5f0012d47724e522c1d45fa9e5f8f5134750fcbb00057ea7eb7efc5115a5bdc8ffa3ed3cd27f5c64027f2ca9c267fc00fc73a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\EventStore.dbFilesize
60KB
MD5d116da1d8d0375f0a1bdf0f9783c24c4
SHA1d3b94d410a541db1a1523d36882781893897812b
SHA256f4743c3cfddb5ebcfa812790ab5f6ae1afe61c8575f3b9c74a2febb398dd177f
SHA512c6cb425064a05e4b262fa49446be4312e743cba7506fba86bf98535884d2cf9823545378ee9b2493ca820821eaea6eda6924c0f793b00d0ac5b29cae9604989c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe.xmlFilesize
4KB
MD57eb2ff3e6ad26430b3d7c1d86bd55042
SHA13c1f961bb1317b63fa454d1938e2dfab8fa518be
SHA2561469f5b82db4cb94fdb24580efe2cf3d30a9bc94ee4d4378b6cce50674999e1a
SHA51289d6f1ae647cb3e3fc2cd8b1657f22e0fb023bff68482d159f61a6d1f8dd97b6c6d4e9c9edde989963e97740371a1dbd45b5f0524532c81cd082636e5d971e13
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5249f961c5a56eec98bae71f4c457b35e
SHA1e5b54b10086ba94bd3bfe2dd9ee9252ff40d0332
SHA256fbbdfce3ff2c1b3f0111a999127bef9bf60f82941b3e492abf09d9094255b37b
SHA512cabcb592b0f4bb8212b6ef9566ed4897e8320af803331465b44a9e07a77e88382a9b21eb9a420a033fa40c6504c0202c7947a0d26b55ee8d0d647e70f5f21fa4
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\device.pngFilesize
43KB
MD57051c15362866f6411ff4906403f2c54
SHA1768b062b336675ff9a2b9fcff0ce1057234a5399
SHA256609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a
SHA5125fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\overlay.pngFilesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\settings.icoFilesize
66KB
MD54896c2ad8ca851419425b06ec0fd95f2
SHA17d52e9355998f1b4487f8ef2b1b3785dec35d981
SHA2561160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3
SHA512271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.x-none.dat.catFilesize
574KB
MD513e2674d1e5118dc8547264aa2b8654b
SHA160b0f7065882e839d6a80f1263f9f60a8efa26bd
SHA256320ae5c50698f4553758c71c37135cf390c06f355cfb3b8cc18dae85ead16944
SHA512b399d85720844dbcb7220b05a186cd0cf46e3307c8afbebbbdcd132be5aa9f936482ba5743764acd12df256a2b2249a0b06ef7365286c66912db02634cd18bda
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\license..dllFilesize
726KB
MD566982d00be2fdcfe46bac9cacc6125d9
SHA190942c50a41f1545345f30812e9827d415414bb6
SHA256219939a37ab2cd4ced78a1a680dc0f8a4c48e75588f38f42fc37696ec4aa7d37
SHA512392608eb27f121e4ab0aa40a39c5f0012d47724e522c1d45fa9e5f8f5134750fcbb00057ea7eb7efc5115a5bdc8ffa3ed3cd27f5c64027f2ca9c267fc00fc73a
-
memory/1544-169-0x0000000000000000-mapping.dmp
-
memory/2360-150-0x0000000000AA0000-0x0000000000CB9000-memory.dmpFilesize
2.1MB
-
memory/2360-148-0x000001B2E7840000-0x000001B2E7980000-memory.dmpFilesize
1.2MB
-
memory/2360-149-0x000001B2E7840000-0x000001B2E7980000-memory.dmpFilesize
1.2MB
-
memory/2360-151-0x000001B2E5E70000-0x000001B2E609A000-memory.dmpFilesize
2.2MB
-
memory/2360-147-0x00007FF6D4B66890-mapping.dmp
-
memory/2384-167-0x0000000003E40000-0x0000000004565000-memory.dmpFilesize
7.1MB
-
memory/2384-166-0x0000000003E40000-0x0000000004565000-memory.dmpFilesize
7.1MB
-
memory/2384-164-0x0000000000000000-mapping.dmp
-
memory/2840-157-0x0000000003C30000-0x0000000004355000-memory.dmpFilesize
7.1MB
-
memory/2840-170-0x0000000003C30000-0x0000000004355000-memory.dmpFilesize
7.1MB
-
memory/2840-156-0x0000000003C30000-0x0000000004355000-memory.dmpFilesize
7.1MB
-
memory/3048-168-0x0000000000000000-mapping.dmp
-
memory/3460-142-0x00000000044C0000-0x0000000004600000-memory.dmpFilesize
1.2MB
-
memory/3460-152-0x0000000005770000-0x0000000005E95000-memory.dmpFilesize
7.1MB
-
memory/3460-141-0x00000000044C0000-0x0000000004600000-memory.dmpFilesize
1.2MB
-
memory/3460-143-0x00000000044C0000-0x0000000004600000-memory.dmpFilesize
1.2MB
-
memory/3460-140-0x00000000044C0000-0x0000000004600000-memory.dmpFilesize
1.2MB
-
memory/3460-139-0x0000000005770000-0x0000000005E95000-memory.dmpFilesize
7.1MB
-
memory/3460-138-0x0000000005770000-0x0000000005E95000-memory.dmpFilesize
7.1MB
-
memory/3460-144-0x0000000004539000-0x000000000453B000-memory.dmpFilesize
8KB
-
memory/3460-132-0x0000000000000000-mapping.dmp
-
memory/3460-146-0x00000000044C0000-0x0000000004600000-memory.dmpFilesize
1.2MB
-
memory/3460-145-0x00000000044C0000-0x0000000004600000-memory.dmpFilesize
1.2MB
-
memory/4904-136-0x0000000002460000-0x0000000002575000-memory.dmpFilesize
1.1MB
-
memory/4904-135-0x0000000002275000-0x000000000234B000-memory.dmpFilesize
856KB
-
memory/4904-137-0x0000000000400000-0x0000000000523000-memory.dmpFilesize
1.1MB