Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
52939ddac663150e902b58fdbb2d7b75.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
52939ddac663150e902b58fdbb2d7b75.exe
Resource
win10v2004-20220812-en
General
-
Target
52939ddac663150e902b58fdbb2d7b75.exe
-
Size
1.1MB
-
MD5
52939ddac663150e902b58fdbb2d7b75
-
SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c
-
SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a
-
SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789
-
SSDEEP
24576:RnpfiR2so90SCTanbH9v6ffSfkN9fs/FZyZrqkd5VzK6r:DiR2so06Riz3fs4td5VzKM
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 36 3344 rundll32.exe 41 3344 rundll32.exe 90 3344 rundll32.exe 92 3344 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AcroLayoutRecognizer\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AcroLayoutRecognizer.dll\u0600" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AcroLayoutRecognizer\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AcroLayoutRecognizer.dllﴀ" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AcroLayoutRecognizer\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 3344 rundll32.exe 3636 svchost.exe 2100 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3344 set thread context of 1364 3344 rundll32.exe 91 -
Drops file in Program Files directory 51 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\ReadOutLoud.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\warning.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-default.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\drvDX9.x3d rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\forms_super.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\add_reviewer.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Eula.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\bl.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3572 4972 WerFault.exe 80 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\999290C14ADD5D8D89BB7E418ED753C0A6F26CF9 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\999290C14ADD5D8D89BB7E418ED753C0A6F26CF9\Blob = 030000000100000014000000999290c14add5d8d89bb7e418ed753c0a6f26cf92000000001000000e9020000308202e53082024ea00302010202082ca823595939b962300d06092a864886f70d01010b05003081853145304306035504030c3c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20416d74686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3230313231393130313531385a170d3234313231383130313531385a3081853145304306035504030c3c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20416d74686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d694f55ad022ba105c8d5c6cde838ae8e0391a51f59191fdaa71bf1b19f64386248963c0dcfdcfd51a095377402dc8f5eda7b8992a101ee6e9bdb0fad4d1f2e2759da55be5f721f9dab4d4c25d45ac9e1d55ced189bb071be209aca4a21486a4aa9c3a15cd10841c3386d98b6d2e6080496c2ca40a2f6d34e27d8831ca40257f0203010001a35c305a300f0603551d130101ff040530030101ff30470603551d110440303e823c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20416d74686f72697479202d204735300d06092a864886f70d01010b0500038181006a7e5c2b4666df2551c55894dc1b823f6692d6434337da6f2ad3365c05d21842bf909698d141391d25e51c3c4000a879fa5c1132cd7493c55014d80c49dd1feb854d7c2d0eb7e86c272f5938ad4b628529a85952e6b66a38dc450565ed1c104df968d89fee93f852c286d57d553b34fde3ef436e0077eb190f89680e512c25e8 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3636 svchost.exe 3636 svchost.exe 3344 rundll32.exe 3344 rundll32.exe 3344 rundll32.exe 3344 rundll32.exe 3344 rundll32.exe 3344 rundll32.exe 3344 rundll32.exe 3344 rundll32.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe 3636 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3344 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1364 rundll32.exe 3344 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3344 4972 52939ddac663150e902b58fdbb2d7b75.exe 81 PID 4972 wrote to memory of 3344 4972 52939ddac663150e902b58fdbb2d7b75.exe 81 PID 4972 wrote to memory of 3344 4972 52939ddac663150e902b58fdbb2d7b75.exe 81 PID 3344 wrote to memory of 1364 3344 rundll32.exe 91 PID 3344 wrote to memory of 1364 3344 rundll32.exe 91 PID 3344 wrote to memory of 1364 3344 rundll32.exe 91 PID 3636 wrote to memory of 2100 3636 svchost.exe 94 PID 3636 wrote to memory of 2100 3636 svchost.exe 94 PID 3636 wrote to memory of 2100 3636 svchost.exe 94 PID 3344 wrote to memory of 2404 3344 rundll32.exe 96 PID 3344 wrote to memory of 2404 3344 rundll32.exe 96 PID 3344 wrote to memory of 2404 3344 rundll32.exe 96 PID 3344 wrote to memory of 3136 3344 rundll32.exe 98 PID 3344 wrote to memory of 3136 3344 rundll32.exe 98 PID 3344 wrote to memory of 3136 3344 rundll32.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52939ddac663150e902b58fdbb2d7b75.exe"C:\Users\Admin\AppData\Local\Temp\52939ddac663150e902b58fdbb2d7b75.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3344 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239933⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1364
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3136
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 5282⤵
- Program crash
PID:3572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 49721⤵PID:4104
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1816
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\acrolayoutrecognizer.dll",hUk8TQ==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726KB
MD508e25e3cde93ea8a44a3bff913f7fa5d
SHA1776339feba4006e79aad70e31ee7c17f375a6c2e
SHA25646bf6620457f2b768a171b64c2847f7194d950bbfbd7a89c1a04f5d027904dca
SHA512a7ee68f0c03013e54bbfc174fc75a50e99b2005db87d5207c960773f84f078664d50567f248618db591f8949a1ce6cd393bd78972ed46e23500f7c9cbc8cf8f5
-
Filesize
726KB
MD508e25e3cde93ea8a44a3bff913f7fa5d
SHA1776339feba4006e79aad70e31ee7c17f375a6c2e
SHA25646bf6620457f2b768a171b64c2847f7194d950bbfbd7a89c1a04f5d027904dca
SHA512a7ee68f0c03013e54bbfc174fc75a50e99b2005db87d5207c960773f84f078664d50567f248618db591f8949a1ce6cd393bd78972ed46e23500f7c9cbc8cf8f5
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml
Filesize30KB
MD598de295b21abe2451f86b82df3be269a
SHA11665a23d307748e8c1c0164ba7939275f9fb676c
SHA256fd3507cd60edf41093c8fe843d1601e33db9cbe1cd36247cec587c265109bcfa
SHA512230ae283c81771496dcae9ef84787379712106738ea82754b101af9047ae27cadb8b1f4aed00d146a699c22fd1c505c31068418a70d2b535c85c3017726d91cc
-
Filesize
10KB
MD5220ae72aa2505c9276da2056b7e34936
SHA16dfb0f4fd5c0d25062d3d1235fc20358560fdb89
SHA256afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c
SHA512cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd
-
Filesize
1KB
MD53793544370ec1fddcf5ba6ae099f2538
SHA1c784c5d8d1c496ab7ba1150782d20cba67b76321
SHA25687975551187040cc2505a12ac285c042b8e70921a55808ecf982c7cd37df0ae2
SHA512debdde56e6e087ff04863490223229d37828e348f7630d6c33aae1f113cce4be75f1420c593268ef5f5bd3026dccb062015781ba83dcaffa2b9bb37b55efc319
-
Filesize
17KB
MD5c6b6b07071e0f8ff39f5941a3169b20c
SHA1d77fd2513ac3cb9b8595424d1f695fce21e33d96
SHA256f8b710777d2c0105e74ee27ee6dfc8e43ca4ff7e14b4dba390eb72dad20705bd
SHA512167ab504d6e4c91239f8239722aba17a7f6748fb3e8ee750b2d3f3fd677e6646a8149c8b956513cb2e90722196471865591215938cea8444fdf2e5cff180fdec
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml
Filesize9KB
MD5996f11041df0526341cebbbd40a98390
SHA137f652515ef8c662840086d743f7f68d327cce52
SHA256bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e
SHA5126cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe.xml
Filesize17KB
MD51b8d789d46feb22b7fa9b011ac51f00f
SHA1742b5b78b5d63450b5b5bde48ae90330f988c57e
SHA2567c46108992cf848638182bf80bf19965f5052deed8a958804b6bdf828c167dec
SHA512c524cac4cc8993c4f3c5d458f639314e07736bcd834179d23e929697d1c7d55b3cd1375108c2fc34133a9df3e297c1ea633e2676af9bf8e073774b4534693cf0
-
Filesize
3KB
MD5701beb4f8c252fb3c9f5dbdc94648048
SHA1556ba20475a502b68b7992454be6c64ab355b4ec
SHA256620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67
SHA51228c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf
-
Filesize
10KB
MD546353bb25b4eb2e9d26a25744c716563
SHA1a9a9c2a1260542b5246fd642425dcc2a29a098c1
SHA2563fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893
SHA51209027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197
-
Filesize
2.3MB
MD5f90e7f329f23a9e4cf3e8f09725c6563
SHA18ed637772d70cb23ed6a3238b1edecf68688acd4
SHA2566572e528a18e0a0f9e09ff6c61b36421c1e1d46b54a970b49161aaac5a19a2ca
SHA512dd9d575f8f0f07c504973d2ba14a03835d85e420a2aba0357bf3a185c2b97d6ac19104b65672b2c44220ca13453dac26bb55c5d7348b6d1a692877e290f20bbe
-
Filesize
2.3MB
MD52ba883768ef9ad3dcb079973260db20b
SHA1937c41f24f24e836197dcabf031006714fc4bb4b
SHA25685deac7591d4f700f9764466cfbec89e4d849fa28241fa791caa9e1c2975bd4d
SHA51200e03eed48c746f8ae17bab97b329748483c56bf479e5dc8d7ea08fb0a4d559a06a454ae31ea6611a3fcc0662e7446d1a9e11cc0f8ac44729645d8d550dfb9f5
-
Filesize
892B
MD505a593ddf82be0bb1f258c9d0585f75d
SHA16712a2dd452fc768e5d9f7cd3805d1592c27d676
SHA256bf438bec47694988412b0b5d395e112ffd4376521c0cc9c523a2a8d265c3b6be
SHA512f379ebcc30a0368757500677691d5429fc4a1876379fb83101f7183e844bed37577fcf836cbbcdd09ff696e24745fdc9aa3149c4d7ea1fdc7d9fe243d384ece4
-
Filesize
55KB
MD50f3c6d90637f0fdc57b1d303cf8d76cd
SHA191cef4325b363b31e4555302a70321a2110b51cf
SHA2564858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261
SHA5126f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5
-
Filesize
106B
MD5c7acd2e60202f2d2200125e05366e637
SHA17d5cb1dc7201337601fcec0b71491c6ef27c593f
SHA2562621f92f43d06d28d28c0bf72909ea4da8232cdee0704e84c2b1310075f5890a
SHA512ff5106469272c4926a1d4bc6c1ac32f9efa20974cb20747792d7fafd928da8db319b4a3972e33499f79adb57251e8f6d5065be4c15bee193ae65d74a3066bf45
-
Filesize
143KB
MD5fe9f7b7fd16a326e40b72f2424bb9f13
SHA1a3f40de8864d051cec6d1561192233e3a4b54463
SHA2563512d316332ebd399244d3fb8a0445c0d8e6be9d37d3052cdf0dc80d2bb77a0b
SHA51286756198db0909080eb2a6a3b5eefcabaeb59aa10db0189459af59f04c2e24fca322875c045adebc3f1c597d468c9dc71d9ff6dce916b1f891b8c3e16af7c132
-
Filesize
57B
MD5b658c06c14ff523bce634e14236c9441
SHA1aa15105fc5cbee478303c5a1d8814a88197573be
SHA25629633ff726d1c72f895545fd97d546035e7045a046b3d2888ff0950e67b8eb82
SHA5123326a97db218aa09814e80317c1150f8a6808e8b6aab07af27c8126688b30964cc85936940d310c1d4d6190c49eaa01ee51d598775ec8c156676bbfd53f8f4cc
-
Filesize
13KB
MD5dac03d8ae64830f85b1c1908f644df8b
SHA1eb90bbaa87304bfab50d482ba940736a536cbac0
SHA256ff611cc994745cf92504512e18724b54f7062e5db79fcff2d695f97f49688ad8
SHA5129e803e6891f0fcb58e33dbb88099a418793b9312d0ad63223268a2059ed922e14b2be715d9e25ba7c9bc04f05fb084ceb14e212683778283c1bf705bc17648f0
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD508e25e3cde93ea8a44a3bff913f7fa5d
SHA1776339feba4006e79aad70e31ee7c17f375a6c2e
SHA25646bf6620457f2b768a171b64c2847f7194d950bbfbd7a89c1a04f5d027904dca
SHA512a7ee68f0c03013e54bbfc174fc75a50e99b2005db87d5207c960773f84f078664d50567f248618db591f8949a1ce6cd393bd78972ed46e23500f7c9cbc8cf8f5