Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe
Resource
win10v2004-20221111-en
General
-
Target
f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe
-
Size
1.1MB
-
MD5
11bccba197c0008c8d2635448a14541b
-
SHA1
3d7792942e6900117547d03d6ccbeac3852e1f45
-
SHA256
f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa
-
SHA512
5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e
-
SSDEEP
24576:7VKLpFDKsSTljEZyFfuq1OI8l1+SwFxSYhDkerKzQq/:7VUHSxQYEq1O13wFxSYhItP
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 13 1916 rundll32.exe 14 1916 rundll32.exe 42 1916 rundll32.exe 44 1916 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_parcel_generic_32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\acrobat_parcel_generic_32.dll\u0600" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_parcel_generic_32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\acrobat_parcel_generic_32.dllĀ" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\acrobat_parcel_generic_32\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 1916 rundll32.exe 2104 svchost.exe 1360 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1916 set thread context of 1880 1916 rundll32.exe 91 -
Drops file in Program Files directory 38 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\tl.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.sfx rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\LICENSE.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\SaveAsRTF.api rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2236 2912 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D860E98EFB9758940232A48C83DBE163A5F54E26 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D860E98EFB9758940232A48C83DBE163A5F54E26\Blob = 030000000100000014000000d860e98efb9758940232a48c83dbe163a5f54e2620000000010000009f0200003082029b30820204a0030201020208034c2a0e78724f23300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054686d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3230313232303133333231385a170d3234313231393133333231385a3074311f301d06035504030c165468617774652054686d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100b3f41e534681cc71c139d24130c00ec089913dcac6898dc5ddb826d7d2538204a2fab38d2f05629158d5622f4e6d853a9137189332dab47804282e8b3589d1431e6a6666b89effdd91e05dda8bc4b2ffc9629e7083e87f1a12303989d3e2067e47eef2b2d45ea6de0e5a5b967cb05d74896805f787e6425006d60a44f66d86270203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054686d657374616d70696e67204341300d06092a864886f70d01010b0500038181007dd9fe766358ba3077b606fffa7e25119a529747cb6554457d69af612849ac90ac92ef1ac52333da3c357aa40c2912523eaee7be4e973f244164231a5114a1960e85bd0b998fa0934b084378da77ac0546736872145c83a130812965ee41e1b0e29ae802c74881d630d12b606ed8aca59d9f892e7efe828b18cb4e8351ce304d rundll32.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2104 svchost.exe 2104 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe 2104 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1916 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1880 rundll32.exe 1916 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2912 wrote to memory of 1916 2912 f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe 82 PID 2912 wrote to memory of 1916 2912 f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe 82 PID 2912 wrote to memory of 1916 2912 f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe 82 PID 1916 wrote to memory of 1880 1916 rundll32.exe 91 PID 1916 wrote to memory of 1880 1916 rundll32.exe 91 PID 1916 wrote to memory of 1880 1916 rundll32.exe 91 PID 2104 wrote to memory of 1360 2104 svchost.exe 95 PID 2104 wrote to memory of 1360 2104 svchost.exe 95 PID 2104 wrote to memory of 1360 2104 svchost.exe 95 PID 1916 wrote to memory of 1316 1916 rundll32.exe 97 PID 1916 wrote to memory of 1316 1916 rundll32.exe 97 PID 1916 wrote to memory of 1316 1916 rundll32.exe 97 PID 1916 wrote to memory of 2492 1916 rundll32.exe 99 PID 1916 wrote to memory of 2492 1916 rundll32.exe 99 PID 1916 wrote to memory of 2492 1916 rundll32.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe"C:\Users\Admin\AppData\Local\Temp\f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1916 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141243⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1316
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 4722⤵
- Program crash
PID:2236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2912 -ip 29121⤵PID:4172
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2680
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\acrobat_parcel_generic_32.dll",hmIkNEw2QTY=2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1360
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
797KB
MD527ad2e09e7fb67aeb3f0a177eacee5bf
SHA1632ba1684b6bda253915c77bc6dc7428b6386feb
SHA256d2fec46d1e80bd292d599da77ab32e31978809a2fe90607baca1ee9b2a7811d3
SHA512d114cd91dad0ab93b528c3529ef5004ba6dfe34caa1056dda642a3ac1747fc401490546a8e84d66c31c0b4e32cb410db0117288c4560fed6182955455c24e2ce
-
Filesize
797KB
MD527ad2e09e7fb67aeb3f0a177eacee5bf
SHA1632ba1684b6bda253915c77bc6dc7428b6386feb
SHA256d2fec46d1e80bd292d599da77ab32e31978809a2fe90607baca1ee9b2a7811d3
SHA512d114cd91dad0ab93b528c3529ef5004ba6dfe34caa1056dda642a3ac1747fc401490546a8e84d66c31c0b4e32cb410db0117288c4560fed6182955455c24e2ce
-
Filesize
331KB
MD5b5cf5d15a8e6c6f2eb99a5645a2c2336
SHA17efe1b634ce1253a6761eb0c54f79dd42b79325f
SHA256f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c
SHA51283f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf
-
Filesize
2.3MB
MD57f7a57cdda3a793223eddb107acd3e40
SHA19d70b2e4ad0c07ab5e1ce5eaa896fdaea4bee467
SHA2561b5d2585fdddcbe2216e1b96a17ae0decca911b6e37e951f13131cda3b984004
SHA512ef8669adc775284392618e23f7e09c6b7d905544f2e13ee62c2fab6f036a84adbf0636d2c277e1f954c12c534422d3860ecf673dc29b1e50099d6d51cdf94078
-
Filesize
2.3MB
MD51d9c8b9cdd2c40a2b6b3e10bab641d8b
SHA173665a873c1d54b9a5660f6d8a086d0f6c9075cd
SHA256547edf5e6d7bd9a1ed64c342b6612ebc604e80cb30bd0f675247ae62d0e59c3e
SHA512fc305d2628cc31c9c6c1cc99185110db0c1be63524b920c900c81c81f44de24702dc50434beb43333b5b85a048146bd9db8ee21744970b1f885689a9e3719b01
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml
Filesize26KB
MD52bc8ee174a90308d275eda81bf42d95e
SHA1284647d3ee515e4794d1984d2f01989f33121d2d
SHA256d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8
SHA512fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c.xml
Filesize862B
MD5c017cbd831d5fe3da5d63535c0a7cac9
SHA14266aab95f2a6988bf07637bf9591bb363f542b5
SHA256ad263ad6a68bc9376a151f62188941748b467f82e9638fdfd937047e289edf6a
SHA512f96a087201821c6299acb8d1e428a4d58ff9d31a1c5d9f20d24ff1e9e9e97aacdb31ca818d6c53caa0d7da4b3a48a54cf2a39259ed2d362f9aa082c065d6c40c
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
65KB
MD5a348f66a6427a599596849f4256a5b8d
SHA11edc7072a3cdaaa191065ce17855e6a596cfe6de
SHA2567e2789e022e43c931114d6a712e0ddeaa925975e08a77e3c403cd705c3b819e8
SHA5122a564e12977ab9fc745563626e53eb882d0d3ed2c1c70eda231a9630066fb4d43a85ab919678faaf8e19252e2b93da1f2e43aad0768e46b9ec5587dadb26ea24
-
Filesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
Filesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
Filesize
797KB
MD527ad2e09e7fb67aeb3f0a177eacee5bf
SHA1632ba1684b6bda253915c77bc6dc7428b6386feb
SHA256d2fec46d1e80bd292d599da77ab32e31978809a2fe90607baca1ee9b2a7811d3
SHA512d114cd91dad0ab93b528c3529ef5004ba6dfe34caa1056dda642a3ac1747fc401490546a8e84d66c31c0b4e32cb410db0117288c4560fed6182955455c24e2ce