Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 14:50
Static task
static1
Behavioral task
behavioral1
Sample
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe
Resource
win10v2004-20221111-en
General
-
Target
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe
-
Size
1.1MB
-
MD5
8f4070594e2008388c46be164a59d9ae
-
SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69
-
SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34
-
SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8
-
SSDEEP
24576:D4MwERrcsuCg2luv/4QwWU7kTV4t83ZUcwFP:MhMcsBl2whOHUDFP
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 10 1252 rundll32.exe 11 1252 rundll32.exe 42 1252 rundll32.exe 44 1252 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Compare_R_RHP..dll츀" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Compare_R_RHP..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 1252 rundll32.exe 3912 svchost.exe 2660 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1252 set thread context of 3676 1252 rundll32.exe rundll32.exe -
Drops file in Program Files directory 49 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP..dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\descript.ion rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.pdf rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\History.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 956 4924 WerFault.exe 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\77586E43F2CE4501CEB1C82DF3A5F33166C60C82\Blob = 03000000010000001400000077586e43f2ce4501ceb1c82df3a5f33166c60c8220000000010000004b02000030820247308201b0a003020102020874aa59446437fa49300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3230313231393135353234355a170d3234313231383135353234355a304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cbbfd4fbf81e862e0d6d3bb1a20370306784933a20602299df35d7ac9b5f1312edd4bfc02f916c2d30453e3dc9fa4bcef088d9f1764a8cb4d3ceb9294236f5a11b51aac5c0e7c3fb882579102f9e974fd07a63d4bfe85921824ab169e26eedd926573d3bf4c0aeacdf25937d6c3c1fc10b0df3afdab306c7d6b10729fa8569810203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c495352472052686f74205831300d06092a864886f70d01010b050003818100b5834880d49083301ef6ced451f012fa726bf2867d16727aac8e936263d4cc4a130c8023e691dc0cbd6d5beb4a4e4fc53b7dcc966e41394b2e3606bd74f95c1e464499f7f80203dd3fc5daabf348108f7a57c24f075c3a8f50ab98358229fa5161208b2689d2623ff084d5d4392b2b0bfef7904c1e5d3a06792e791190b7c254 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\77586E43F2CE4501CEB1C82DF3A5F33166C60C82 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
svchost.exerundll32.exepid process 3912 svchost.exe 3912 svchost.exe 1252 rundll32.exe 1252 rundll32.exe 1252 rundll32.exe 1252 rundll32.exe 1252 rundll32.exe 1252 rundll32.exe 1252 rundll32.exe 1252 rundll32.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe 3912 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1252 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3676 rundll32.exe 1252 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exerundll32.exesvchost.exedescription pid process target process PID 4924 wrote to memory of 1252 4924 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe rundll32.exe PID 4924 wrote to memory of 1252 4924 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe rundll32.exe PID 4924 wrote to memory of 1252 4924 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe rundll32.exe PID 1252 wrote to memory of 3676 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 3676 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 3676 1252 rundll32.exe rundll32.exe PID 3912 wrote to memory of 2660 3912 svchost.exe rundll32.exe PID 3912 wrote to memory of 2660 3912 svchost.exe rundll32.exe PID 3912 wrote to memory of 2660 3912 svchost.exe rundll32.exe PID 1252 wrote to memory of 5112 1252 rundll32.exe schtasks.exe PID 1252 wrote to memory of 5112 1252 rundll32.exe schtasks.exe PID 1252 wrote to memory of 5112 1252 rundll32.exe schtasks.exe PID 1252 wrote to memory of 3944 1252 rundll32.exe schtasks.exe PID 1252 wrote to memory of 3944 1252 rundll32.exe schtasks.exe PID 1252 wrote to memory of 3944 1252 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe"C:\Users\Admin\AppData\Local\Temp\37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1252 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239493⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3676 -
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:5112
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 5362⤵
- Program crash
PID:956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4924 -ip 49241⤵PID:1300
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4228
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\compare_r_rhp..dll",fWMaODJGQQ==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP..dllFilesize
726KB
MD5c9c39a86b314df57c332445236d1dc43
SHA1d67ce9db6189ee6367179a0d80cc316a747d29c0
SHA256e5d2038a55d04e9d32dbcc5b754c61f53b22e0ff213cd184545541edfbfae4ab
SHA512d0a2eaf0ada9e2ff7c9d518b2cdb353fbc9f732a64e6bd287ddb92f6c9b4169e46f65fdd9f651f0337dd70ac130f94acfbadd754d191ebae2cc33945db8fa46a
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP..dllFilesize
726KB
MD5c9c39a86b314df57c332445236d1dc43
SHA1d67ce9db6189ee6367179a0d80cc316a747d29c0
SHA256e5d2038a55d04e9d32dbcc5b754c61f53b22e0ff213cd184545541edfbfae4ab
SHA512d0a2eaf0ada9e2ff7c9d518b2cdb353fbc9f732a64e6bd287ddb92f6c9b4169e46f65fdd9f651f0337dd70ac130f94acfbadd754d191ebae2cc33945db8fa46a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xmlFilesize
109KB
MD51ff29aea22999055b5c3dda5785a807c
SHA1cd93580b22754e44c6fda2b1127bf6539deea0c6
SHA256a738adb72546d0ea134a20abe3adbeb8bc6c7b90d04cc72d2f217c154c83ce11
SHA512ab28afe92584956fd6656d05a9e910bf45312b2f7b23e97ab92e4a95ae014300c16a509c1e81dc18c7e180cf9c6a74a2146cf0b53083a4d9c99c0eb97b0323c5
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.Proof.Culture.msi.16.en-us.xmlFilesize
25KB
MD5c61439f60c39268b94a18e5d51f0b26e
SHA14ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a
SHA25606bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213
SHA51288310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32mui.msi.16.en-us.xmlFilesize
16KB
MD5ada34b241139f06addc86a9e8d1108f0
SHA1909a92a4e970ae4edcfc365a119d4f4410b0bcf6
SHA2563069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a
SHA5122797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5350dab619d466050e7566f1b82993d58
SHA15da8f090da73d529b8ce455857228cad4323afc6
SHA2568785b195b76b12c1257e19accc028385aba6742e7f8bf9a431c51b3f97711b41
SHA512f048153e1560501a9ef381f5e6231f3af730ca2b8d6d606ae1f835f50226cd0a3aa1c0ed72264152ef62684f69b100f954998c4681cd5d9103e41f11e55912b4
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.en-us.dat.catFilesize
109KB
MD52800ad935a91f65e3a39d28d7ec8b12b
SHA12e87ae6f577e833894abaa85117f29fd8c2178db
SHA2567a9e9a26077199809f7a69d4486b58d98b5b972a2652084de0e212bc070410bd
SHA5123564cdd0ff8efd862f6f3e123f8a5990d255bf735ee7eed3d622ecd40dfe53b9e1ae0c623a9d0036ca73e24a7c4f91b9a0174129084536362d23b10e6c730dff
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\compare_r_rhp..dllFilesize
726KB
MD5c9c39a86b314df57c332445236d1dc43
SHA1d67ce9db6189ee6367179a0d80cc316a747d29c0
SHA256e5d2038a55d04e9d32dbcc5b754c61f53b22e0ff213cd184545541edfbfae4ab
SHA512d0a2eaf0ada9e2ff7c9d518b2cdb353fbc9f732a64e6bd287ddb92f6c9b4169e46f65fdd9f651f0337dd70ac130f94acfbadd754d191ebae2cc33945db8fa46a
-
memory/1252-132-0x0000000000000000-mapping.dmp
-
memory/1252-143-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/1252-145-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/1252-139-0x00000000042E0000-0x0000000004A05000-memory.dmpFilesize
7.1MB
-
memory/1252-144-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/1252-138-0x00000000042E0000-0x0000000004A05000-memory.dmpFilesize
7.1MB
-
memory/1252-149-0x0000000004B89000-0x0000000004B8B000-memory.dmpFilesize
8KB
-
memory/1252-142-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/1252-140-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/1252-141-0x0000000004B10000-0x0000000004C50000-memory.dmpFilesize
1.2MB
-
memory/1252-152-0x00000000042E0000-0x0000000004A05000-memory.dmpFilesize
7.1MB
-
memory/2660-161-0x0000000000000000-mapping.dmp
-
memory/2660-165-0x0000000003DA0000-0x00000000044C5000-memory.dmpFilesize
7.1MB
-
memory/2660-164-0x0000000003DA0000-0x00000000044C5000-memory.dmpFilesize
7.1MB
-
memory/3676-147-0x0000014B9A050000-0x0000014B9A190000-memory.dmpFilesize
1.2MB
-
memory/3676-151-0x0000014B98680000-0x0000014B988AA000-memory.dmpFilesize
2.2MB
-
memory/3676-150-0x0000000000350000-0x0000000000569000-memory.dmpFilesize
2.1MB
-
memory/3676-148-0x0000014B9A050000-0x0000014B9A190000-memory.dmpFilesize
1.2MB
-
memory/3676-146-0x00007FF7AE4F6890-mapping.dmp
-
memory/3912-163-0x0000000003B80000-0x00000000042A5000-memory.dmpFilesize
7.1MB
-
memory/3912-156-0x0000000003B80000-0x00000000042A5000-memory.dmpFilesize
7.1MB
-
memory/3912-168-0x0000000003B80000-0x00000000042A5000-memory.dmpFilesize
7.1MB
-
memory/3944-167-0x0000000000000000-mapping.dmp
-
memory/4924-135-0x0000000002267000-0x000000000233D000-memory.dmpFilesize
856KB
-
memory/4924-136-0x00000000023B0000-0x00000000024C5000-memory.dmpFilesize
1.1MB
-
memory/4924-137-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/5112-166-0x0000000000000000-mapping.dmp