Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2022 00:20
Static task
static1
Behavioral task
behavioral1
Sample
326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe
Resource
win10v2004-20221111-en
General
-
Target
326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe
-
Size
1.1MB
-
MD5
de44d279f39623ad26d31fd91f4fbd5e
-
SHA1
72daf2a6b40945ca711adbcf06ab7b746e42b12b
-
SHA256
326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6
-
SHA512
18b481be9d9b8736cc090c2769faa0069203eab8739ac0b21d5da1061d2bbe45e20673996d7b3560d88b7257cd504c0d2557fb7256878ca93b5c057f4bccd15a
-
SSDEEP
24576:DFCh7F+NoOm2Halob3NE0GzWFw7GZOezzxUYpdrjPq1at3c:I1Uo2aYGzQwiZv1UYpd3qYC
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 10 1192 rundll32.exe 11 1192 rundll32.exe 43 1192 rundll32.exe 45 1192 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_browser.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_browser.dllÔ€" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 1192 rundll32.exe 3808 svchost.exe 3208 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1192 set thread context of 804 1192 rundll32.exe rundll32.exe -
Drops file in Program Files directory 55 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\DropboxStorage.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Updater.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\7z.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\drvSOFT.x3d rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\MCIMPP.mpp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5068 1536 WerFault.exe 326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0EE39B6D1587452D7B79921F6C7F79982DE6C25E\Blob = 0300000001000000140000000ee39b6d1587452d7b79921f6c7f79982de6c25e20000000010000007a02000030820276308201dfa00302010202080e26f6c71bad94ab300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c6f62616e20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313232313031323232335a170d3234313232303031323232335a30613120301e06035504030c17446967694365727420476c6f62616e20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100da6c941f7508f9559fa83a60cb838e07bd322af5f403450001fd9f271a14806d60f94aef46c126107e14c1222b3e7c9669675c3445dfb6544227fe9a4e56bfeeff78b088398178e3397d383a3059072568d6e183240cd6700907a8136990fadb7666e4d08fa10e5549c494307990d844dc741a935e6c9128758b08c6c8a499970203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c6f62616e20526f6f74204732300d06092a864886f70d01010b0500038181000114bd955725ccbb5b4a39aaa09dd25e1252033d4aaad46353e0d474a5650628f24708768bda7b5c82b2c08ac4c88c5e9459d0a2bf96755e4851d29c1ae87813fa28b344489f99d9749ac20a3e193974748c11d72d2c694d66b3eb65a7cb8bfdc3d99d1c376714782a439ca913e8c6ae428213850c8622a77b486341e2d16a34 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0EE39B6D1587452D7B79921F6C7F79982DE6C25E rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
svchost.exerundll32.exepid process 3808 svchost.exe 3808 svchost.exe 1192 rundll32.exe 1192 rundll32.exe 1192 rundll32.exe 1192 rundll32.exe 1192 rundll32.exe 1192 rundll32.exe 1192 rundll32.exe 1192 rundll32.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe 3808 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1192 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 804 rundll32.exe 1192 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exerundll32.exesvchost.exedescription pid process target process PID 1536 wrote to memory of 1192 1536 326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe rundll32.exe PID 1536 wrote to memory of 1192 1536 326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe rundll32.exe PID 1536 wrote to memory of 1192 1536 326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe rundll32.exe PID 1192 wrote to memory of 804 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 804 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 804 1192 rundll32.exe rundll32.exe PID 3808 wrote to memory of 3208 3808 svchost.exe rundll32.exe PID 3808 wrote to memory of 3208 3808 svchost.exe rundll32.exe PID 3808 wrote to memory of 3208 3808 svchost.exe rundll32.exe PID 1192 wrote to memory of 4580 1192 rundll32.exe schtasks.exe PID 1192 wrote to memory of 4580 1192 rundll32.exe schtasks.exe PID 1192 wrote to memory of 4580 1192 rundll32.exe schtasks.exe PID 1192 wrote to memory of 2896 1192 rundll32.exe schtasks.exe PID 1192 wrote to memory of 2896 1192 rundll32.exe schtasks.exe PID 1192 wrote to memory of 2896 1192 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe"C:\Users\Admin\AppData\Local\Temp\326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141243⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1536 -ip 15361⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\review_browser.dll",T0oFRDE12⤵
- Loads dropped DLL
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.dllFilesize
797KB
MD50fe391a714d3ae57c7c0ab846583fd00
SHA1be2ba66ecc2e27ef96b48a640aed0d801108161f
SHA256cbafaf847186fde78c833922a72082d488e1fefdb195a30cbe8edd076eb77f56
SHA51291db3ed1e0cf329ebd74372b85d0d6a26f2cad8867d9e04c458b006af5825cefc3de8e6e6375ebf1926ad84c5c920391f3419d2152722137f3c929315596d2b2
-
C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.dllFilesize
797KB
MD50fe391a714d3ae57c7c0ab846583fd00
SHA1be2ba66ecc2e27ef96b48a640aed0d801108161f
SHA256cbafaf847186fde78c833922a72082d488e1fefdb195a30cbe8edd076eb77f56
SHA51291db3ed1e0cf329ebd74372b85d0d6a26f2cad8867d9e04c458b006af5825cefc3de8e6e6375ebf1926ad84c5c920391f3419d2152722137f3c929315596d2b2
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\613a5533519f8bfc5ac94c405722cb67_957af1f1-6875-4c40-9804-a0dcc430f453Filesize
1KB
MD5a1fb2f5c2a9632f184b145477461bfa8
SHA15c81d4c0ba7a450a4d02a5842ae6ea68a857b850
SHA256bad97e62a22b4fc4df405c0249fcd5b35ec211891426996ac9422b3b48f0431b
SHA512480dc191e2926742b19b2b64591d554402ba17f625d81df25f5d70c27efb4cc99e56ca00a429d06733380819d23ee978a957d2adadfa1562749614816d492172
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.osmuxmui.msi.16.en-us.xmlFilesize
10KB
MD5220ae72aa2505c9276da2056b7e34936
SHA16dfb0f4fd5c0d25062d3d1235fc20358560fdb89
SHA256afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c
SHA512cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD5db0acdbf49f80d3f3b0fb65a71b39341
SHA112c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae
SHA256f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f
SHA5123d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5de3c17a9cd6ad202dd9dfe5016872d20
SHA1578f0c4575f251eabbd72b60503db6d6901ef6e8
SHA2566c0278860d1fa200474fd0a7d7ee0919649a86961139d8f857402d82340bd73b
SHA5123256cc52637a2393c0e3a92cd5a5a841d41a88c4cc03ef1ce3b4325b96fd125bddbc4de90605273c53b9594dbf1ce098cb422b8d7825c4e328b20b415fba29f2
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD547c91b587fc2019ace1d124b298a0c89
SHA156f89598e4fe10c16e63b0bbf5b2b8e68c18a82c
SHA256bcc92fc267eee1d862f811d25b77b9b4eb98aee278e37a8d5db24490ed3ce3d0
SHA512ac25952fb69053a95bfd4e11a9d3b3e0d4267c1f704bac3f6d5325da341f5103c8df06738d7abc96c129f5feed54fc0317ac733b9c16f42197d072c6eceb6764
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5cc4cc0e085cfafe9c540f7a6a4cad93e
SHA18982a1b3d8f3d8bc37b1c12f9a7f594723d03247
SHA256fa0819943729b9c38d89e92fcbc31ba393b49baa524bfa4ee9f2f471f8fcf756
SHA512b8f591ee4b5b241025a0d583efed50fb548a180599bc4dab2f7b978da4daf08ca917e539354e2510aaca35257854034de3e3f3a8242eaa71f5ec9c4b3dc289d5
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe.xmlFilesize
830B
MD505cd2b53b1d4a6dfec2c8e5bea828b91
SHA1717e71c2e42f0a993d6a110c3b6c37e5560837ec
SHA256225e46e9c3381e4935dc7c245ce3e3fec92d1a777b2af82c3aae05802d7420c7
SHA512a6d69ed210136c098d7ead5b22d2317476fa1ad1690b52f9b1c3620d7b0e52a5adc4f90e18cf971af48bab3a9d8afd50d0d4536ab73faa288687bedc11a5d1e2
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.gthrFilesize
10KB
MD51cc89e36fb7d379cb763bbb66cc83b6e
SHA1bb1bb13857b1de21e25205288048a5d1f40198ce
SHA256e1a35f047df609333e5aef5eab41cde04457c55e7d9b761fc30b315243864122
SHA512cb2da3c09f65b47aa6ccce46f032c2d0ffd879dd85229ecb7d59349d51b07430e34869b1ccb23be7fbe64f2022be7ac4ccd6223dbbcdbe1e8aabce2056ce5ca0
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.ASM-WindowsDefault.jsonFilesize
146KB
MD5d054101b077a5d6ee42f48bbe0a98033
SHA1e27de6db98d496419be668cdbb0d63693353a08a
SHA256b44915e8ebc59eb07e1571de5dfe8e7ae87aca64b2aa64bd5aaf3ebfe06f72a8
SHA512364a15229a7563af5657355b3ec6838f1367f89163fa43cf835756d5b3ae7df1fbd6b577d31f275b5030f00255c2a1958c6d88b43e84b283a602931c9af1921b
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\review_browser.dllFilesize
797KB
MD50fe391a714d3ae57c7c0ab846583fd00
SHA1be2ba66ecc2e27ef96b48a640aed0d801108161f
SHA256cbafaf847186fde78c833922a72082d488e1fefdb195a30cbe8edd076eb77f56
SHA51291db3ed1e0cf329ebd74372b85d0d6a26f2cad8867d9e04c458b006af5825cefc3de8e6e6375ebf1926ad84c5c920391f3419d2152722137f3c929315596d2b2
-
memory/804-151-0x0000021716D50000-0x0000021716F7A000-memory.dmpFilesize
2.2MB
-
memory/804-147-0x00007FF7A8F26890-mapping.dmp
-
memory/804-148-0x0000021718590000-0x00000217186D0000-memory.dmpFilesize
1.2MB
-
memory/804-149-0x0000021718590000-0x00000217186D0000-memory.dmpFilesize
1.2MB
-
memory/804-150-0x00000000008B0000-0x0000000000AC9000-memory.dmpFilesize
2.1MB
-
memory/1192-142-0x0000000004AB0000-0x0000000004BF0000-memory.dmpFilesize
1.2MB
-
memory/1192-139-0x0000000004E90000-0x00000000055B5000-memory.dmpFilesize
7.1MB
-
memory/1192-146-0x0000000004AB0000-0x0000000004BF0000-memory.dmpFilesize
1.2MB
-
memory/1192-145-0x0000000004B29000-0x0000000004B2B000-memory.dmpFilesize
8KB
-
memory/1192-144-0x0000000004AB0000-0x0000000004BF0000-memory.dmpFilesize
1.2MB
-
memory/1192-138-0x0000000004E90000-0x00000000055B5000-memory.dmpFilesize
7.1MB
-
memory/1192-143-0x0000000004AB0000-0x0000000004BF0000-memory.dmpFilesize
1.2MB
-
memory/1192-132-0x0000000000000000-mapping.dmp
-
memory/1192-140-0x0000000004AB0000-0x0000000004BF0000-memory.dmpFilesize
1.2MB
-
memory/1192-141-0x0000000004AB0000-0x0000000004BF0000-memory.dmpFilesize
1.2MB
-
memory/1192-152-0x0000000004E90000-0x00000000055B5000-memory.dmpFilesize
7.1MB
-
memory/1536-137-0x0000000000400000-0x000000000053D000-memory.dmpFilesize
1.2MB
-
memory/1536-136-0x00000000022A0000-0x00000000023D0000-memory.dmpFilesize
1.2MB
-
memory/1536-135-0x0000000000805000-0x00000000008F4000-memory.dmpFilesize
956KB
-
memory/2896-171-0x0000000000000000-mapping.dmp
-
memory/3208-164-0x0000000000000000-mapping.dmp
-
memory/3208-168-0x0000000004830000-0x0000000004F55000-memory.dmpFilesize
7.1MB
-
memory/3208-169-0x0000000004830000-0x0000000004F55000-memory.dmpFilesize
7.1MB
-
memory/3208-173-0x0000000004830000-0x0000000004F55000-memory.dmpFilesize
7.1MB
-
memory/3808-156-0x0000000003C40000-0x0000000004365000-memory.dmpFilesize
7.1MB
-
memory/3808-167-0x0000000003C40000-0x0000000004365000-memory.dmpFilesize
7.1MB
-
memory/3808-172-0x0000000003C40000-0x0000000004365000-memory.dmpFilesize
7.1MB
-
memory/4580-170-0x0000000000000000-mapping.dmp