Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
19/12/2022, 08:20
Static task
static1
Behavioral task
behavioral1
Sample
9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe
Resource
win10-20220812-en
General
-
Target
9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe
-
Size
1.1MB
-
MD5
d4fe627b0bc66a57bfdb76c531c06ce6
-
SHA1
1a9ff0a579460a2e90266ebbfbad127514a74e7a
-
SHA256
9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97
-
SHA512
bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617
-
SSDEEP
24576:4MsPdMWW1GIdBCSGZtT/EHr0HUqcBfcvGjZzK6r:XngtAHr0HU7cu9zKM
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 1 3476 rundll32.exe 4 3476 rundll32.exe 12 3476 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_same_reviewers\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_same_reviewers.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_same_reviewers\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_same_reviewers\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00" rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 3476 rundll32.exe 4800 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3476 set thread context of 3680 3476 rundll32.exe 67 -
Drops file in Program Files directory 36 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AXSLE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\IA32.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Review_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_joined.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\TrackedSend.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 53 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355944a100054656d7000003a0009000400efbe0c55a7899355944a2e000000000000000000000000000000000000000000000000002ef12801540065006d007000000014000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3476 rundll32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3680 rundll32.exe 3476 rundll32.exe 3476 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3476 2780 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe 66 PID 2780 wrote to memory of 3476 2780 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe 66 PID 2780 wrote to memory of 3476 2780 9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe 66 PID 3476 wrote to memory of 3680 3476 rundll32.exe 67 PID 3476 wrote to memory of 3680 3476 rundll32.exe 67 PID 3476 wrote to memory of 3680 3476 rundll32.exe 67 PID 3476 wrote to memory of 4112 3476 rundll32.exe 70 PID 3476 wrote to memory of 4112 3476 rundll32.exe 70 PID 3476 wrote to memory of 4112 3476 rundll32.exe 70 PID 3476 wrote to memory of 4944 3476 rundll32.exe 72 PID 3476 wrote to memory of 4944 3476 rundll32.exe 72 PID 3476 wrote to memory of 4944 3476 rundll32.exe 72 PID 3476 wrote to memory of 200 3476 rundll32.exe 76 PID 3476 wrote to memory of 200 3476 rundll32.exe 76 PID 3476 wrote to memory of 200 3476 rundll32.exe 76 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe"C:\Users\Admin\AppData\Local\Temp\9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3476 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 240023⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3680
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3952
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3392
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3376
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4800 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\review_same_reviewers.dll",VjkdbldPeQ==2⤵PID:2912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fdab2b3426d106210e616103cacf57ba
SHA15972f2e5dcecc133ee431ea6fd85271c22e67b3b
SHA256e5b49aef39aba5f51a3d2724418b8848721b0e5d7459e5e9a3deec161a3ab4b1
SHA512ec116a9370446129ad7f7c4767c213bc0a75c3bca6d1e7a2d4705f167a841b5af8e3edaad1924090d78870fa328ed773d3e45a2f2037b2c917b79dd68aa47c5e
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\116__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml
Filesize712B
MD594de53673235e5f020beae2e9cd5f524
SHA13eac9d16162ec495b5e17897a6455c6efb255fd9
SHA256f6206b943399614c8c08daa015fd9ba01c8bfd61e47188c573affafdcf5f3525
SHA5124d89a2326f4ffabdbe7f28ffad7b7d30dd3f26c234d99efd399c0250456d5395f19dad285dffa5f3a4197af35369af473a090fc5aa1c48c1fbb3e2117353fba8
-
Filesize
271B
MD5d6650e3886f3c95fb42d4f0762b04173
SHA11da4b8bb6bb45d576616ad843cf6e4c2e9d4784b
SHA2569101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9
SHA5121f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa
-
Filesize
2.3MB
MD5f7e0d6c9f7a4b410025dcb43c9c4e9ea
SHA1562bb160a37659628ee22916e34b2d5ac3036985
SHA2562de836b400284fba52a8dedf08e34e1f55f6779e16f01a8debef343521d405dd
SHA512451c0bd3e3f5a8bfef4169fdf01bee92cf260239945585dbd59e88fb3a0050a88630c67e8760cd164ff2082aa03d9c02624e44efa4e1a55020696df85ff5e00f
-
Filesize
1KB
MD58a660378169f2615d70683a49d6540c9
SHA14e78f156eb4b8766568071e81b793f05b9ea7658
SHA256f288b4ffdb060471a51dcea18c8e104c62cfcd8c37d7a41ee343145b4953cf46
SHA512754bc1a9c90e4c4ea6cf1881d26c1afbb049870f41ff71c7c943726a1706f6b0b44a2f32742065f9d5eacc54d21cb54b76f5f17315af04614612f9cc58e46648
-
Filesize
106B
MD5bef40d5a19278ca19b56fbcdde7e26ef
SHA14f01d5b8de038e120c64bd7cc22cf150af1452fb
SHA2567f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d
SHA5125a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493
-
Filesize
59KB
MD5a161b3f9fd62c3931fbd79512810cffa
SHA1a63f1d8945b983356b66819b3aa5b0bd409995e4
SHA256d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7
SHA512f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD5cafb18c5a32c85ebe846d736c7497d3c
SHA1860101785982c3877e7cfbcebfd2a78fd40e6491
SHA256927c9e152fe94e83223e7adc97c754a7ff2bb837e88e5379b7f940ab8926cf85
SHA5128c2ae056a5605cc30bca76cd783bd66f75184a00cb261163ae74c247fc79ee454660aa8b22b26db0c39836c582b8b3e7b09b4c68aef4ffe2e1d9495dd555d2be
-
Filesize
726KB
MD5cafb18c5a32c85ebe846d736c7497d3c
SHA1860101785982c3877e7cfbcebfd2a78fd40e6491
SHA256927c9e152fe94e83223e7adc97c754a7ff2bb837e88e5379b7f940ab8926cf85
SHA5128c2ae056a5605cc30bca76cd783bd66f75184a00cb261163ae74c247fc79ee454660aa8b22b26db0c39836c582b8b3e7b09b4c68aef4ffe2e1d9495dd555d2be
-
Filesize
726KB
MD5cafb18c5a32c85ebe846d736c7497d3c
SHA1860101785982c3877e7cfbcebfd2a78fd40e6491
SHA256927c9e152fe94e83223e7adc97c754a7ff2bb837e88e5379b7f940ab8926cf85
SHA5128c2ae056a5605cc30bca76cd783bd66f75184a00cb261163ae74c247fc79ee454660aa8b22b26db0c39836c582b8b3e7b09b4c68aef4ffe2e1d9495dd555d2be
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741