Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2022, 00:10
Static task
static1
Behavioral task
behavioral1
Sample
62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe
Resource
win10v2004-20221111-en
General
-
Target
62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe
-
Size
1.1MB
-
MD5
9ab4a7fd7c64f150813c87cff907699d
-
SHA1
861b166e242fddad72973365c6ca0d242e478e5b
-
SHA256
62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22
-
SHA512
bf9e75a71bcdfcf8834ddb4dc410bfec006b1770b59aa2543adb80742c66d780eab9453a37c7bf111af6fe688d473dcd84ddbbe28376a53d3d7108affcfb7098
-
SSDEEP
24576:diQiGP3wIrpRPHaT72KocBZtPYDd8HunSyj:diePxBanoc5Wy+
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 10 4448 rundll32.exe 11 4448 rundll32.exe 37 4448 rundll32.exe 39 4448 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\nppdf32.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 4448 rundll32.exe 1932 svchost.exe 940 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4448 set thread context of 1332 4448 rundll32.exe 91 -
Drops file in Program Files directory 62 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zCon.sfx rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\rss.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Comments.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\forms_super.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\aic_file_icons_retina_thumb_highContrast_wob.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\QuickTime.mpp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\warning.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\LogTransport2.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\aic_file_icons_hiContrast_wob.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\LICENSE.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\aic_file_icons_hiContrast_bow.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\apple-touch-icon-144x144-precomposed.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\ExtendScript.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\AdobeXMP.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\form_responses.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\InAppSign.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\DarkTheme.acrotheme rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\SaveAsRTF.api rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\back-arrow-disabled.svg rundll32.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\favicon.ico rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1572 2780 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2E3AF48C7EDF93D182B049D24ECBBC549D040D61 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2E3AF48C7EDF93D182B049D24ECBBC549D040D61\Blob = 0300000001000000140000002e3af48c7edf93d182b049d24ecbbc549d040d612000000001000000d1020000308202cd30820236a003020102020879ac5f8403a31b40300d06092a864886f70d01010b0500307e313d303b06035504030c344d6963726f736f66742054696d65205374616d7020526f6f7420436572746366696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232323031313231375a170d3234313232313031313231375a307e313d303b06035504030c344d6963726f736f66742054696d65205374616d7020526f6f7420436572746366696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100a7917e672f466a5837c231055a484a050464f83748799f379c2d2349b270868a78dbfc97551bffc5fce76c41b48bdcbd2cb3d6651600657701334aefaf16c0988d6e49fa9ccf6fea21bd04abf591583d4508451aa1c290ca1d11ba4fe15804ec42f5a8a4675570726a95420bbbc279439b8f14200f1ae5ab69ffa46ebade18bf0203010001a3543052300f0603551d130101ff040530030101ff303f0603551d110438303682344d6963726f736f66742054696d65205374616d7020526f6f7420436572746366696361746520417574686f726974792032303134300d06092a864886f70d01010b05000381810029c2b8ff8aa689591fbeec56a84073b071211446b5923d5f0412c60a222fcff7587ee8a010b3aed57b58fbb1d44a42c202e9d240b841556e0bb5cbe96c29dfc2bc882350ef0b28c7f68879e5122ce8415ed24aabcf38e9899400629bef8ee28fe5c178b756dda845fe13adca81f96611ad1eb767ce3d58edf586f2c9a364f22c rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4448 rundll32.exe 4448 rundll32.exe 1932 svchost.exe 1932 svchost.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4448 rundll32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1332 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2780 wrote to memory of 4448 2780 62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe 84 PID 2780 wrote to memory of 4448 2780 62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe 84 PID 2780 wrote to memory of 4448 2780 62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe 84 PID 4448 wrote to memory of 1332 4448 rundll32.exe 91 PID 4448 wrote to memory of 1332 4448 rundll32.exe 91 PID 4448 wrote to memory of 1332 4448 rundll32.exe 91 PID 4448 wrote to memory of 4040 4448 rundll32.exe 92 PID 4448 wrote to memory of 4040 4448 rundll32.exe 92 PID 4448 wrote to memory of 4040 4448 rundll32.exe 92 PID 4448 wrote to memory of 4196 4448 rundll32.exe 94 PID 4448 wrote to memory of 4196 4448 rundll32.exe 94 PID 4448 wrote to memory of 4196 4448 rundll32.exe 94 PID 1932 wrote to memory of 940 1932 svchost.exe 100 PID 1932 wrote to memory of 940 1932 svchost.exe 100 PID 1932 wrote to memory of 940 1932 svchost.exe 100 PID 4448 wrote to memory of 4940 4448 rundll32.exe 101 PID 4448 wrote to memory of 4940 4448 rundll32.exe 101 PID 4448 wrote to memory of 4940 4448 rundll32.exe 101 PID 4448 wrote to memory of 1980 4448 rundll32.exe 103 PID 4448 wrote to memory of 1980 4448 rundll32.exe 103 PID 4448 wrote to memory of 1980 4448 rundll32.exe 103 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe"C:\Users\Admin\AppData\Local\Temp\62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp",Ritwuoaoyiy2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4448 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 189073⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:1980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 5562⤵
- Program crash
PID:1572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2780 -ip 27801⤵PID:4420
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4388
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\configuration\nppdf32.dll",TwxDNkxQMg==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:940
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814KB
MD5559b0bf4d0449a93271fabee29341761
SHA11b0ccf4b8c4d3142916df51cd3b6365517da12e8
SHA256c104b10934809ca8a6bc132397ead846b0af051bdde9294cb4e3c2bc6f5f3622
SHA51278133af58277c389a9f7dcee848628621b4020e106ef4b99991217177fb2891260044c640ab7733723e313c487c23742d70ee077272379bda5b06732a010b032
-
Filesize
814KB
MD5559b0bf4d0449a93271fabee29341761
SHA11b0ccf4b8c4d3142916df51cd3b6365517da12e8
SHA256c104b10934809ca8a6bc132397ead846b0af051bdde9294cb4e3c2bc6f5f3622
SHA51278133af58277c389a9f7dcee848628621b4020e106ef4b99991217177fb2891260044c640ab7733723e313c487c23742d70ee077272379bda5b06732a010b032
-
Filesize
64KB
MD53e4bb54c051fc02969e33f2aa7f3c802
SHA12ba3505713fd4b2f518c7e8690f76c39bec443d0
SHA2566c3ae1e244b033fdcf5e1b2694a505614f7f994605b80881257042fa419cf035
SHA512758dceef70a2839b6b3230fcd670dd5f4f6b9278cede9d4006fceb415afbd26e0b6bd01c5d39b8a2937e914a80d8d4fda547157c8d4ddce3c86b693f79a81f40
-
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml
Filesize15KB
MD5c73eeb9dedd94a612969e003260e6341
SHA10451277183bad12e3179c12c0a14694fab52bc8d
SHA2561ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355
SHA512d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a
-
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize839B
MD52f6bc19cc3de731b8eaec46910edaf83
SHA161fd41f1fd1e4c6d7178a204c8ab68add839a199
SHA2566893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966
SHA512841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a
-
Filesize
71KB
MD5b08a8c2f6941a1a12aa05180aec1dbb9
SHA1c09f9207502aca3866b182d79221addcca76f4d1
SHA256843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f
SHA5128de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7
-
Filesize
64KB
MD5fb54ecf5bbc8554d4218fce2b5863f04
SHA15a43e92271d69b66f97c12d977c10bc78991f76f
SHA256bc964a0306fbeca377d20bafd127425c0700ee293a2c5caf9b28285f1b1d75e5
SHA512c13e3d7c8801b9a865952708af0fe4272e2034be0ebc40e94f4bdccd13b3075ef8d2b5ec8af68d51fe11d87ce84183275d031390aa00e6cefd02407a03436a40
-
Filesize
3.5MB
MD547e59ee97a2df9617c76376ed3d628ec
SHA1e94718a947fd2c51914c46668979cee0574f7839
SHA25659ea2549c3f043079f1dca222de3a0226d82c197fd160abd3cb840a311dbd762
SHA512aeb4d8f19b2b138f847b5fe68f84c22815ea13a882948e400411eda3e3c74ffc8bbbc1b5055bed176a8ba884edba1e0bfc0f9fa3d7de503d6aa97372dab6f7f6
-
Filesize
3.5MB
MD547e59ee97a2df9617c76376ed3d628ec
SHA1e94718a947fd2c51914c46668979cee0574f7839
SHA25659ea2549c3f043079f1dca222de3a0226d82c197fd160abd3cb840a311dbd762
SHA512aeb4d8f19b2b138f847b5fe68f84c22815ea13a882948e400411eda3e3c74ffc8bbbc1b5055bed176a8ba884edba1e0bfc0f9fa3d7de503d6aa97372dab6f7f6
-
Filesize
28KB
MD53fa8c6dc1f72c3f9f8670a3e236459f2
SHA1fcca30e9c5f861ac907150c76ca5f2174d214b7b
SHA256dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7
SHA512af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec
-
Filesize
81KB
MD58e3fed079e101c5dcb906371c2b546a3
SHA17fbf444c9361684228f643984f1333c271e86bf2
SHA256b0203f1dc9e443dc5081b0f882934241645a5de4cc4b1e47b3460d17446a87d4
SHA512898c825d9f20f3d20cb389328561ff70bd0c762dcc1369bd0bb633130aee9dcf60b433da66c3a37dd1d46a70614abd955a323589917ed85e0ec5698cdd0268c2
-
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
Filesize121B
MD570bdaa5c409965a452e47aa001033c53
SHA1594fad49def244b2a459ddd86bf1763e190917e3
SHA256433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58
SHA51262f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc
-
Filesize
814KB
MD5f93876956e6e2f754c8be97ac269729d
SHA1bf0eb05f31b4177e5e2fdeb203698d5018c8ee12
SHA256226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a
SHA512c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb
-
Filesize
814KB
MD5f93876956e6e2f754c8be97ac269729d
SHA1bf0eb05f31b4177e5e2fdeb203698d5018c8ee12
SHA256226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a
SHA512c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb
-
Filesize
814KB
MD5559b0bf4d0449a93271fabee29341761
SHA11b0ccf4b8c4d3142916df51cd3b6365517da12e8
SHA256c104b10934809ca8a6bc132397ead846b0af051bdde9294cb4e3c2bc6f5f3622
SHA51278133af58277c389a9f7dcee848628621b4020e106ef4b99991217177fb2891260044c640ab7733723e313c487c23742d70ee077272379bda5b06732a010b032