Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
Resource
win10v2004-20221111-en
General
-
Target
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe
-
Size
1.1MB
-
MD5
8a4cb873c04ffe6859dd5bb381fed9b2
-
SHA1
c71cb06097a8172057c7dd0ca61c27e164c1939a
-
SHA256
c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
-
SHA512
352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
SSDEEP
24576:cV/Gyl0a5nGoVsJIsk/DVdmsbzK8+2HDE0j1D3W9:u1F5nnsJvk/Tmsb2sHB7W9
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 11 3324 rundll32.exe 12 3324 rundll32.exe 42 3324 rundll32.exe 44 3324 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\close_x.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\close_x.dll܀" rundll32.exe -
Sets service image path in registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService搀" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService輀" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\ue800" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\close_x\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService䐀" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 3324 rundll32.exe 3172 svchost.exe 3660 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3324 set thread context of 1664 3324 rundll32.exe 88 -
Drops file in Program Files directory 45 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\info.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Close2x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ACE.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pages_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\SaveAsRTF.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 672 4712 WerFault.exe 77 -
Checks processor information in registry 2 TTPs 58 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3D05943EB8D18FA5315E1FB33F02E63247EB567E rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3D05943EB8D18FA5315E1FB33F02E63247EB567E\Blob = 0300000001000000140000003d05943eb8d18fa5315e1fb33f02e63247eb567e20000000010000007a02000030820276308201dfa0030201020208189d6e7779f93e61300d06092a864886f70d01010b050030613120301e06035504030c174469676943656b7420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313231393132343234325a170d3234313231383132343234325a30613120301e06035504030c174469676943656b7420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b095eec8fa0ed6072e274b14a69f190da0b70a16de65bebb13f6704bb9f1181415fc515e3994212661444e59e021a3a8ddb2b578d033d6c61bca608d4760d905f260ab083e3d1225fc1f4be436767ca9f0c3279036ceb32d5a46df67f8f35d25e29e6b74919ed9c9111cdb64e6c8e0cff6f05daf8e771ea12dac54dd0982a00b0203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b301982174469676943656b7420476c6f62616c20526f6f74204732300d06092a864886f70d01010b05000381810052dfcbe3ca2453399bbebdf5018f91008d41a252523a68271a99842ad4d4d6488a93912dd24ef48b08012be45ebc7853f3abe7615ed8e3c1c3a6a4fefdafedddf32bd20d94e45593008ee24472928d237190df8d4129703c713582b83895436f2cad2aad4ae9f4593ebe37846613582a553f95493f51cc61faaa7d71fae08984 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3172 svchost.exe 3172 svchost.exe 3324 rundll32.exe 3324 rundll32.exe 3324 rundll32.exe 3324 rundll32.exe 3324 rundll32.exe 3324 rundll32.exe 3324 rundll32.exe 3324 rundll32.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe 3172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3324 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1664 rundll32.exe 3324 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3324 4712 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe 78 PID 4712 wrote to memory of 3324 4712 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe 78 PID 4712 wrote to memory of 3324 4712 c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe 78 PID 3324 wrote to memory of 1664 3324 rundll32.exe 88 PID 3324 wrote to memory of 1664 3324 rundll32.exe 88 PID 3324 wrote to memory of 1664 3324 rundll32.exe 88 PID 3172 wrote to memory of 3660 3172 svchost.exe 92 PID 3172 wrote to memory of 3660 3172 svchost.exe 92 PID 3172 wrote to memory of 3660 3172 svchost.exe 92 PID 3324 wrote to memory of 2140 3324 rundll32.exe 94 PID 3324 wrote to memory of 2140 3324 rundll32.exe 94 PID 3324 wrote to memory of 2140 3324 rundll32.exe 94 PID 3324 wrote to memory of 1616 3324 rundll32.exe 96 PID 3324 wrote to memory of 1616 3324 rundll32.exe 96 PID 3324 wrote to memory of 1616 3324 rundll32.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"C:\Users\Admin\AppData\Local\Temp\c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3324 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239493⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1664
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2140
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1616
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 5362⤵
- Program crash
PID:672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4712 -ip 47121⤵PID:4744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2020
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\close_x.dll",QgU9RQ==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3660
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726KB
MD5b9ee2129ea48aabb9c3d65b5e0b864db
SHA18c831d7b63a83af40c8d01e51243679d40dc6726
SHA2566752148c44e9204a63cc22d560a954aceafdccdabd18f61b588ef9fdcfeaa899
SHA512e8309cb674f4bb73f4bc8b1b87684b8491587872f3751f08312658d70fd34bb8b93f0baf1b6e466a2c11873c6e5bfd71154ebb9187c6950a15935309d085f119
-
Filesize
726KB
MD5b9ee2129ea48aabb9c3d65b5e0b864db
SHA18c831d7b63a83af40c8d01e51243679d40dc6726
SHA2566752148c44e9204a63cc22d560a954aceafdccdabd18f61b588ef9fdcfeaa899
SHA512e8309cb674f4bb73f4bc8b1b87684b8491587872f3751f08312658d70fd34bb8b93f0baf1b6e466a2c11873c6e5bfd71154ebb9187c6950a15935309d085f119
-
Filesize
23KB
MD537cde9afb1540513bd564d71867021e0
SHA1e319abb6093025dccc55618fb407c1182ccdafe7
SHA256516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f
SHA5126746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881
-
Filesize
9KB
MD52693cb4d0d47298d60c5b4210d567e56
SHA120b67bce8310a93c5756d83d13febdcaff5f3b39
SHA256d98dec16b13c3e4a23823be0bcd45f685c6dc690ae28954c0c18075e77898f20
SHA512034cb9620ea7f9aa793ad8e0c8e30b11244e7952d871d1f8cbb1ff6daa765fd9afc2a54f221f0a323511f4aa7b985ff61c2f0b983668c7e390f3f99699dc89c9
-
Filesize
27KB
MD5e9ed7134ebf28fea3f7aa5691a28438a
SHA1ea1e55c279ed9f8dae333ae436204d8d67d46adf
SHA2568fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28
SHA512535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9
-
Filesize
1KB
MD5d23cf0da0462ecbb77509f23f26edc57
SHA1b0a3353089a1c174a092e7a791d286bb28bb764c
SHA2569fc823530ff0f81c7064fb67d0f6932ad735897a2f5479a8f1d298075b04817f
SHA512a113d35757e4abebede230ca695b2163f44910bdca6253ad65d3649ab1cdaa16da966f01dc1c85d782ed775757915c130e39d6aa008ff5b926674ac353d23dff
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_11_11_13_34_6.etl
Filesize256KB
MD51fe0d68375877cabfccb619d9d4ab43f
SHA1cf193c9d2867df41dcccb8f6aabf425dffb509eb
SHA2560cb5476c09391a9aa162dab319070f54ad3befb8cb202acfd274613985912aea
SHA51251370046f065ae8b86afe3cc5f0ec7e71b13d6bc3272db4bf16924cbdfdc126e5b10399055756234e776a44a0449d2d1554ca0097e7d72790713ca618fdc7ec1
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe.xml
Filesize7KB
MD5f4b603547f83e5cb97e4ad4538aac812
SHA1c225c8c582ad9fdd9e81291fcb4af711deb92508
SHA256268d79fcfc4de72faeb0433e371176fedcfc0c33b0c9484b02c9936c3c6d4218
SHA512d285740008ed9e6dbfc4284dfb5418e130f1eb4b2fb758fb2f8e86e0c5c557e050b415eaa66858c37cd95ddfd4ed6a40be77a333f254ec142982d2e3f3cc37cf
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize913B
MD51600f66ce0d9c342eb6a49155a2f8c14
SHA1e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07
SHA2568dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27
SHA512ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00
-
Filesize
1KB
MD54b6a6960b925c7bd5b83d8a4196e24e4
SHA1f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b
SHA2565f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0
SHA51221f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1
-
Filesize
2.3MB
MD5fbdd6a9ef07c99e35a1c8e5db6b4cfc7
SHA16af5ca47ff3ccf080cd2ccd7f95697660edccfb3
SHA256f66ceb064373b3cdac7da9bb32b15622d03b17ca9d658950d50435358e394cd9
SHA512c84d726d7e5ec609913c2e58c4b75528f80466ab614aa16167b0f91f48e4102c1a5943ff68b6b2cd6229d30ef95ae82a028ab1b5036d1410dd1e485f6dcab10c
-
Filesize
146KB
MD5d054101b077a5d6ee42f48bbe0a98033
SHA1e27de6db98d496419be668cdbb0d63693353a08a
SHA256b44915e8ebc59eb07e1571de5dfe8e7ae87aca64b2aa64bd5aaf3ebfe06f72a8
SHA512364a15229a7563af5657355b3ec6838f1367f89163fa43cf835756d5b3ae7df1fbd6b577d31f275b5030f00255c2a1958c6d88b43e84b283a602931c9af1921b
-
Filesize
110KB
MD5589ff0b7d4d0d3fced65c3eae6559657
SHA14be3e4221a429b347888bbe3635e377271974c7f
SHA2560e96c027d23a57e95103d1b64e4c5b8a153402f05b756dfcb737459476aaae35
SHA5124a12bac3f61964d6c5608bbb9067d7673cd5e5a22463f6d16f402954045692f43ef1ea32d405f452d415c859c30b217e9d250a1c5c85cfd629bd393824b6523b
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
Filesize
726KB
MD5b9ee2129ea48aabb9c3d65b5e0b864db
SHA18c831d7b63a83af40c8d01e51243679d40dc6726
SHA2566752148c44e9204a63cc22d560a954aceafdccdabd18f61b588ef9fdcfeaa899
SHA512e8309cb674f4bb73f4bc8b1b87684b8491587872f3751f08312658d70fd34bb8b93f0baf1b6e466a2c11873c6e5bfd71154ebb9187c6950a15935309d085f119