Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 23:20
Static task
static1
Behavioral task
behavioral1
Sample
57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe
Resource
win10v2004-20221111-en
General
-
Target
57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe
-
Size
1.1MB
-
MD5
cefdeeedeae94644485f2f7b17479059
-
SHA1
98875840acd3da6fd699b3b8b96aa3cfa1796580
-
SHA256
57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb
-
SHA512
f52f8484a03dcf4d57e6f43ce46effa301ae5ab580000cd03a6d6587678c1c3a6b6ed9e289d915e342e506aa9ea46e66eec039a0db2f82d53d020bf33bb8f6c4
-
SSDEEP
12288:PSnF2P2yBuTM2Hc0jRlXzSw29b7E3uhpmHuibF6Uado5tmA8Kr84go6Iw85UCR4B:3P1cMCJjnf2R7HpswkFr8vh6R4nepu
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 10 1360 rundll32.exe 11 1360 rundll32.exe 41 1360 rundll32.exe 43 1360 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DirectInk\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DirectInk.dll␀" rundll32.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DirectInk\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DirectInk\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 1360 rundll32.exe 3012 svchost.exe 4784 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1360 set thread context of 3664 1360 rundll32.exe rundll32.exe -
Drops file in Program Files directory 49 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Full.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\icucnv40.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-114x114-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\InAppSign.aapp rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\32BitMAPIBroker.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp rundll32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\tr.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PDFPrevHndlr.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\base_uris.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons_retina.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2164 4732 WerFault.exe 57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exerundll32.exerundll32.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F30B84338561702A9D7278F959A89E07BA89C6C\Blob = 0300000001000000140000008f30b84338561702a9d7278f959a89e07ba89c6c20000000010000006a02000030820266308201cfa00302010202084f54a6192c1be733300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f61697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313232313030323232365a170d3234313232303030323232365a30503132303006035504030c294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f61697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100ba359af0bbad8d5fdbbafcb9b29ee95f10452d38fd84cad9e477ecc0b2ae4d3bfaec285f8c6c93398c08fe52ba6366eddaa4520ffca658c8e51417b88500bd1262513bcffab345e5793dee3334134f6461e942df794073a6bf7aaecd0a85f90a6b5d2a4684ec14e21f8a4e2c00f4e155e83e8cdfb5eeffc3cae49de3f30cc7250203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f61697479300d06092a864886f70d01010b0500038181007f85579461a482d6fff7eed496b5d2e8f23cefdc9775ba7bd72928c9a2457620f97052820b6471b4c7cb7f388373d6eed0327bb530ddf79f66bfc3f261446a4facf26258ea60e29fa66223904e6ec450163e88e89a1f33324e370f1bd8c289e4dbe2307e2f4f8131f1a074153bb66e8d52c84b34be67e90a91f011bdc50791fa rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F30B84338561702A9D7278F959A89E07BA89C6C rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
svchost.exerundll32.exepid process 3012 svchost.exe 3012 svchost.exe 1360 rundll32.exe 1360 rundll32.exe 1360 rundll32.exe 1360 rundll32.exe 1360 rundll32.exe 1360 rundll32.exe 1360 rundll32.exe 1360 rundll32.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe 3012 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1360 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3664 rundll32.exe 1360 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exerundll32.exesvchost.exedescription pid process target process PID 4732 wrote to memory of 1360 4732 57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe rundll32.exe PID 4732 wrote to memory of 1360 4732 57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe rundll32.exe PID 4732 wrote to memory of 1360 4732 57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe rundll32.exe PID 1360 wrote to memory of 3664 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 3664 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 3664 1360 rundll32.exe rundll32.exe PID 3012 wrote to memory of 4784 3012 svchost.exe rundll32.exe PID 3012 wrote to memory of 4784 3012 svchost.exe rundll32.exe PID 3012 wrote to memory of 4784 3012 svchost.exe rundll32.exe PID 1360 wrote to memory of 4060 1360 rundll32.exe schtasks.exe PID 1360 wrote to memory of 4060 1360 rundll32.exe schtasks.exe PID 1360 wrote to memory of 4060 1360 rundll32.exe schtasks.exe PID 1360 wrote to memory of 4024 1360 rundll32.exe schtasks.exe PID 1360 wrote to memory of 4024 1360 rundll32.exe schtasks.exe PID 1360 wrote to memory of 4024 1360 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe"C:\Users\Admin\AppData\Local\Temp\57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141003⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4732 -ip 47321⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\directink.dll",giZc2⤵
- Loads dropped DLL
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dllFilesize
797KB
MD5e5c25ce5c9b37a2d840d27f1e294829c
SHA1d55e237cdcd2f4c0f86c840faa9514391eff6796
SHA2569d48417d46f7dd3961fc28224f2fc52464621344d5639ebcf8dcc3ceac1cbe24
SHA5127d9ea3c7b9faa6d57d6db56cd55f80b656449ef3e52b182a3086f56bd72431c97a4a784b8276d740ffb2dcd92fd0f2a38b431f70cd2e2c5fde78977dd66f5641
-
C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dllFilesize
797KB
MD5e5c25ce5c9b37a2d840d27f1e294829c
SHA1d55e237cdcd2f4c0f86c840faa9514391eff6796
SHA2569d48417d46f7dd3961fc28224f2fc52464621344d5639ebcf8dcc3ceac1cbe24
SHA5127d9ea3c7b9faa6d57d6db56cd55f80b656449ef3e52b182a3086f56bd72431c97a4a784b8276d740ffb2dcd92fd0f2a38b431f70cd2e2c5fde78977dd66f5641
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\3CCD5499-87A8-4B10-A215-608888DD3B55.vschFilesize
262B
MD50c19329f1a0959d6e069dd77dc32e7fc
SHA18216c5d18000ff6c11f0b562a85d650b3e07da7c
SHA256ca469f2580e20b3d1077355a1e0e673be724ac15ab15e859b7bc3bcf60854120
SHA512fbbe1626c32f7b77c77fa1e0e5f0c22562d3bdc15a4290cf300625efa782c31d9ac461ea2b6552dbc42f16137bfc226d98ee2f002a353245eae6afca873e912d
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.fr-fr.xmlFilesize
23KB
MD537cde9afb1540513bd564d71867021e0
SHA1e319abb6093025dccc55618fb407c1182ccdafe7
SHA256516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f
SHA5126746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5b8b91e8b07a3803223ce8ccccd4b7958
SHA10624c974f0fd5630bef3878dd42b731e43927512
SHA2562073241342b5a94ccf0666f2819d534183ec0919da7ae673ea87e2d01f60ee02
SHA512308887acf189d7dc41c01d1653283251c887dca61f47a836cc059eb17109f20f9d242cf5a53d17535d429068d285d22a80b144fa56688455302f005005cb6a82
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5468f3e3927fb0051e7b32e3316d7b7a0
SHA160cc01f69e7f501c2a22929ca77ab6bf1469ea78
SHA256cbd5cc0064422eadb99fce60c3479c98e95c62e895417d37c99bd8ad23d6ee22
SHA512acabff9f108b3d04c37c09712da3c60a71f054853cf459cd4efd226a88c874d5422501fb1d0060a5d85f40c2c6b23be9161259f03bc0f7f7eb6a499e5fe8bff9
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe.xmlFilesize
22KB
MD5e0deca52ec488a29758550b78fa3b719
SHA1188ae9939a0875f11a611ee7d8604c7a348bc0d2
SHA2569337e81fdc5c57705e3c587ce9bf99bc176e127acd2539eb6a18c3a6c2b87816
SHA512ce84157a418fa8b2d5b576da37796b323b8d2a5e8af6e9651c23ecfb1a32dc0f65872d2919f148c5deaed4acd5b4336767fd949fd98ab2aafbf36abaeca863f3
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy.xmlFilesize
3KB
MD53e0786e68ac00141fd51790c561c60ef
SHA196f2bdc8310d74e466bd8ef0931baaa2f276de03
SHA2561545f3cf4b4c17d52c387e560dcb777e1748757c1dbb18788080d9dac64a82a6
SHA512cdcecba2775b627e9e6fce205166e2f0f9af9550ed838689c586c707c29d6d7e7a5daa03814b0c95f5da3b8b2d2366b77e5011a8cad8fac448feaa96679353f2
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xmlFilesize
5KB
MD51944801cae061223e36fcce6aed6bfba
SHA1b465c53f3e6ae74fac368f36cbfc5842ce085e14
SHA256b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959
SHA51282b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
855B
MD5dae188e1f4d8d97d8d65164eb0dda551
SHA178b54e226446825c56d15a19a3ed4b587a8842a2
SHA2565bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2
SHA512941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftInternetExplorer2013Backup.xmlFilesize
2KB
MD516fa6bd16573d544916a2cb3335a1f13
SHA1479c5b9375b5b351d7dc217deb159fe92da03f75
SHA25637e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50
SHA5129a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2016CAWin64.xmlFilesize
1KB
MD54b6a6960b925c7bd5b83d8a4196e24e4
SHA1f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b
SHA2565f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0
SHA51221f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftWordpad.xmlFilesize
1005B
MD5576da3ac22d84c085a753ad324e5af0f
SHA11ce9245047e7da3eb4e81356434ca190fe4f924f
SHA256214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303
SHA512dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SettingsLocationTemplate.xsdFilesize
9KB
MD5f35965aa615dd128c2b95cfe925145c3
SHA157346050388048feb8034d5011b105018483b4a0
SHA256ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398
SHA51282767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\s640.hashFilesize
106B
MD5bef40d5a19278ca19b56fbcdde7e26ef
SHA14f01d5b8de038e120c64bd7cc22cf150af1452fb
SHA2567f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d
SHA5125a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\scan_.icoFilesize
59KB
MD5a161b3f9fd62c3931fbd79512810cffa
SHA1a63f1d8945b983356b66819b3aa5b0bd409995e4
SHA256d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7
SHA512f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\directink.dllFilesize
797KB
MD5e5c25ce5c9b37a2d840d27f1e294829c
SHA1d55e237cdcd2f4c0f86c840faa9514391eff6796
SHA2569d48417d46f7dd3961fc28224f2fc52464621344d5639ebcf8dcc3ceac1cbe24
SHA5127d9ea3c7b9faa6d57d6db56cd55f80b656449ef3e52b182a3086f56bd72431c97a4a784b8276d740ffb2dcd92fd0f2a38b431f70cd2e2c5fde78977dd66f5641
-
memory/1360-138-0x00000000048C0000-0x0000000004FE5000-memory.dmpFilesize
7.1MB
-
memory/1360-140-0x00000000050B0000-0x00000000051F0000-memory.dmpFilesize
1.2MB
-
memory/1360-152-0x00000000048C0000-0x0000000004FE5000-memory.dmpFilesize
7.1MB
-
memory/1360-142-0x00000000050B0000-0x00000000051F0000-memory.dmpFilesize
1.2MB
-
memory/1360-141-0x00000000050B0000-0x00000000051F0000-memory.dmpFilesize
1.2MB
-
memory/1360-145-0x00000000050B0000-0x00000000051F0000-memory.dmpFilesize
1.2MB
-
memory/1360-149-0x0000000005129000-0x000000000512B000-memory.dmpFilesize
8KB
-
memory/1360-132-0x0000000000000000-mapping.dmp
-
memory/1360-144-0x00000000050B0000-0x00000000051F0000-memory.dmpFilesize
1.2MB
-
memory/1360-139-0x00000000048C0000-0x0000000004FE5000-memory.dmpFilesize
7.1MB
-
memory/1360-143-0x00000000050B0000-0x00000000051F0000-memory.dmpFilesize
1.2MB
-
memory/3012-157-0x00000000036F0000-0x0000000003E15000-memory.dmpFilesize
7.1MB
-
memory/3012-156-0x00000000036F0000-0x0000000003E15000-memory.dmpFilesize
7.1MB
-
memory/3012-178-0x00000000036F0000-0x0000000003E15000-memory.dmpFilesize
7.1MB
-
memory/3664-146-0x00007FF7AE4F6890-mapping.dmp
-
memory/3664-147-0x0000029EE3AB0000-0x0000029EE3BF0000-memory.dmpFilesize
1.2MB
-
memory/3664-148-0x0000029EE3AB0000-0x0000029EE3BF0000-memory.dmpFilesize
1.2MB
-
memory/3664-150-0x0000000000D50000-0x0000000000F69000-memory.dmpFilesize
2.1MB
-
memory/3664-151-0x0000029EE20E0000-0x0000029EE230A000-memory.dmpFilesize
2.2MB
-
memory/4024-177-0x0000000000000000-mapping.dmp
-
memory/4060-176-0x0000000000000000-mapping.dmp
-
memory/4732-133-0x00000000006C3000-0x00000000007B2000-memory.dmpFilesize
956KB
-
memory/4732-137-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/4732-134-0x0000000002340000-0x0000000002470000-memory.dmpFilesize
1.2MB
-
memory/4784-173-0x0000000004100000-0x0000000004825000-memory.dmpFilesize
7.1MB
-
memory/4784-174-0x0000000004100000-0x0000000004825000-memory.dmpFilesize
7.1MB
-
memory/4784-175-0x0000000004100000-0x0000000004825000-memory.dmpFilesize
7.1MB
-
memory/4784-170-0x0000000000000000-mapping.dmp