Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 10:30
Static task
static1
Behavioral task
behavioral1
Sample
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe
Resource
win10v2004-20221111-en
General
-
Target
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe
-
Size
1.1MB
-
MD5
be1369ec379e0ec8dd84be3d5a26ac00
-
SHA1
ee6832ff5c366b22291778d8c314f0d4ec6b1225
-
SHA256
4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
-
SHA512
4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171
-
SSDEEP
24576:TuVphQcMt0PVCry56Ck+ghSeqNXT2v1fxOdmpCWYLkur4+g:TCpTBsNCMfZ1fgdZwX
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 9 736 rundll32.exe 10 736 rundll32.exe 37 736 rundll32.exe 39 736 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dllȀ" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dll\u2000" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Certificates_R..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Certificates_R.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 736 rundll32.exe 4652 svchost.exe 4348 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 736 set thread context of 4052 736 rundll32.exe 90 -
Drops file in Program Files directory 39 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\MoreTools.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\EPDF_RHP.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Certificates_R..dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\sendforcomments.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Spelling.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\LICENSE.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp rundll32.exe File opened for modification C:\Program Files\7-Zip\7zG.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2280 2124 WerFault.exe 80 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\44F436AE0002C0761CC5EDF3E1C0B46FD4DB2B46 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\44F436AE0002C0761CC5EDF3E1C0B46FD4DB2B46\Blob = 03000000010000001400000044f436ae0002c0761cc5edf3e1c0b46fd4db2b462000000001000000d1020000308202cd30820236a00302010202085b08a5d71d18dfbe300d06092a864886f70d01010b0500307e313d303b06035504030c344d6163726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232303131333232385a170d3234313231393131333232385a307e313d303b06035504030c344d6163726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100da9cdf2aa294750260624a7bfacfe8d4ad365248b2769992d54f4c245cb61a08be3f1ea184e76b2522e327204996a28a5345193158abb05334714e06b4b789114e52450abcd8f90128f113a103588744340aefffd90fc38e380b05230493bfcac563d9b55602e7400ed72c6bc040cb671920c2e83c24136ba4a5d1941a452ac90203010001a3543052300f0603551d130101ff040530030101ff303f0603551d110438303682344d6163726f736f66742054696d65205374616d7020526f6f7420436572746966696361746520417574686f726974792032303134300d06092a864886f70d01010b050003818100202181123caa1d3b6174eb171d999f2cf8cb48e8a284e01a43c4d4eb4e98236a7068ff00cb9b2ae7fe1ffcca90566e42491b0a8993f9ba2d3e11cadd414bdbee78ed5ca10b0baed4a099f18d4bbca280eabc3f5167ad5f7c60dc6f917576949f319a19e44cfa03208695b6000e55b9831c6b33c4e2270db299e9d7367dd11beb rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4652 svchost.exe 4652 svchost.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe 4652 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 736 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4052 rundll32.exe 736 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2124 wrote to memory of 736 2124 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe 81 PID 2124 wrote to memory of 736 2124 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe 81 PID 2124 wrote to memory of 736 2124 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe 81 PID 736 wrote to memory of 4052 736 rundll32.exe 90 PID 736 wrote to memory of 4052 736 rundll32.exe 90 PID 736 wrote to memory of 4052 736 rundll32.exe 90 PID 4652 wrote to memory of 4348 4652 svchost.exe 94 PID 4652 wrote to memory of 4348 4652 svchost.exe 94 PID 4652 wrote to memory of 4348 4652 svchost.exe 94 PID 736 wrote to memory of 4736 736 rundll32.exe 96 PID 736 wrote to memory of 4736 736 rundll32.exe 96 PID 736 wrote to memory of 4736 736 rundll32.exe 96 PID 736 wrote to memory of 4600 736 rundll32.exe 98 PID 736 wrote to memory of 4600 736 rundll32.exe 98 PID 736 wrote to memory of 4600 736 rundll32.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe"C:\Users\Admin\AppData\Local\Temp\4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:736 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141243⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4600
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 5282⤵
- Program crash
PID:2280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2124 -ip 21241⤵PID:5116
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1296
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\certificates_r..dll",rWFMT3AyQg==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4348
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
797KB
MD563fdacce53633c0023a65b9557f837b4
SHA16475a5b1050166bbaa40e4ea665093da32b46073
SHA256702a7269c90cec81ff1c548109e4b3274463c9d58940c88e1bb63c933f13c003
SHA512878cb01b7433dfe579dfee9146754fa4bdbdd72e7ba0dcb883ede588dd8fe73aeffbc16ca46e227b62489363328c3c03f39ccad7123fa33db725d6a311236549
-
Filesize
797KB
MD563fdacce53633c0023a65b9557f837b4
SHA16475a5b1050166bbaa40e4ea665093da32b46073
SHA256702a7269c90cec81ff1c548109e4b3274463c9d58940c88e1bb63c933f13c003
SHA512878cb01b7433dfe579dfee9146754fa4bdbdd72e7ba0dcb883ede588dd8fe73aeffbc16ca46e227b62489363328c3c03f39ccad7123fa33db725d6a311236549
-
Filesize
2.3MB
MD5945f0c08be6f3fca2469775218ca24ee
SHA11c7ebb81f10582b539a80db91042ebe9c57697f9
SHA25610964c29f39f6cc0745b737fcf1a41298b93b3ea15cbadf80a26bd63486e7f46
SHA5121937b18659657b38edc7c12ac374b491f1448daf9c24e204a64acfb61d53748aacc1e592c890920f66a048a51a2250c84d3d2527ffddf27b27b28eef3b8f40ad
-
Filesize
2.3MB
MD5945f0c08be6f3fca2469775218ca24ee
SHA11c7ebb81f10582b539a80db91042ebe9c57697f9
SHA25610964c29f39f6cc0745b737fcf1a41298b93b3ea15cbadf80a26bd63486e7f46
SHA5121937b18659657b38edc7c12ac374b491f1448daf9c24e204a64acfb61d53748aacc1e592c890920f66a048a51a2250c84d3d2527ffddf27b27b28eef3b8f40ad
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.AsyncTextService_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml
Filesize2KB
MD52240070d6603ab019cd125005cf38b7b
SHA1ca96d028f51a7d5ec16630b48935f26c72794b0a
SHA2567b3b1b641ebbda5397a11af86cb347b0f644ab439341c62b1c81d6990e6f75bc
SHA51295c6f48f717d9103d30c31e00b7ff3a0d235693a8fffed772c0a0c39107bf3003ac84d6c78e2af566d91a88fa523dcc2c523dcc707d19fc77799832d548f330c
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xml
Filesize16KB
MD54194b927b32c56bb3a5ed72c164c917e
SHA1ec60c6bb8b2d0181408c65b3456b7b3b92cca134
SHA25686d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8
SHA512c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xml
Filesize5KB
MD51944801cae061223e36fcce6aed6bfba
SHA1b465c53f3e6ae74fac368f36cbfc5842ce085e14
SHA256b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959
SHA51282b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe.xml
Filesize6KB
MD57e913c1a399dd176eea1bb8f2be26268
SHA16be9a44820ffbabb10202af890da00c9aa2dfec2
SHA2565295393602a18f301613c7160e24f88816070a41cf69b32c821b6d3858541b4a
SHA512dc52de8489f586081c246a297a35987eb7f74e122f475df88cfdc683787fe532e609db3b43915c73f7f172e1a4fc13efacd1b52252d1041e5c8f4dd190009105
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize827B
MD5ded8a0ae2ade3e3cab8bfbfea00b969f
SHA173752c78795a78ef3b742ad41737959e6f51ee42
SHA256ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85
SHA5123c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a
-
Filesize
12KB
MD5d24bea7d3b999f28e375d1d061a03d97
SHA195b207708762aa4752c77728128cbe3033646204
SHA25657184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2
SHA5123d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e
-
Filesize
444B
MD506a26bd9a786dfd815b92d9f149ac770
SHA1c5532598867b39bc635399b7845691a04209abb2
SHA256cf0120016fbb22ffae5cdc3e3995c4b5908d09c0fa759058abfd0cdba04d18c9
SHA512b856b25525f39f2c3d99e7e954e672ce732408a37f5ea0f85099a30808917b6dd0e046b7a3e29a08f949bc6bab7b05f9182c9620db5f40f210fe5d64d296c5e5
-
Filesize
1KB
MD536b733e882d091355ffdd2b0a3286888
SHA10043a974ebd90d802e8cc5e04b5cefc980d03292
SHA256f83662badfaa62797f925aa8292852be5351d3e641d70fe22c911ee4cdf68aad
SHA512abb0df60401f74df3368e17cd8ff672dceaeef0fbeb097da659c07f2b8d756a09ada065ecb3ba7ccabbb4416817d730c13e6340ae5c6239dff31ae8b81c0a10c
-
Filesize
453KB
MD596f7cb9f7481a279bd4bc0681a3b993e
SHA1deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149
-
Filesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
Filesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
Filesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
Filesize
797KB
MD563fdacce53633c0023a65b9557f837b4
SHA16475a5b1050166bbaa40e4ea665093da32b46073
SHA256702a7269c90cec81ff1c548109e4b3274463c9d58940c88e1bb63c933f13c003
SHA512878cb01b7433dfe579dfee9146754fa4bdbdd72e7ba0dcb883ede588dd8fe73aeffbc16ca46e227b62489363328c3c03f39ccad7123fa33db725d6a311236549