62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2022, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe
Size

1.1MB
MD5

9ab4a7fd7c64f150813c87cff907699d
SHA1

861b166e242fddad72973365c6ca0d242e478e5b
SHA256

62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22
SHA512

bf9e75a71bcdfcf8834ddb4dc410bfec006b1770b59aa2543adb80742c66d780eab9453a37c7bf111af6fe688d473dcd84ddbbe28376a53d3d7108affcfb7098
SSDEEP

24576:diQiGP3wIrpRPHaT72KocBZtPYDd8HunSyj:diePxBanoc5Wy+

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
10	4448	rundll32.exe
11	4448	rundll32.exe
37	4448	rundll32.exe
39	4448	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\nppdf32.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nppdf32\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4448	rundll32.exe
1932	svchost.exe
940	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 1332	4448	rundll32.exe	91

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\rss.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Comments.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\forms_super.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\aic_file_icons_hiContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\LICENSE.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\aic_file_icons_hiContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\AdobeXMP.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\form_responses.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\InAppSign.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\DarkTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\favicon.ico	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\SaveAsRTF.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\favicon.ico	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1572	2780	WerFault.exe	81

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2E3AF48C7EDF93D182B049D24ECBBC549D040D61	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2E3AF48C7EDF93D182B049D24ECBBC549D040D61\Blob = 0300000001000000140000002e3af48c7edf93d182b049d24ecbbc549d040d612000000001000000d1020000308202cd30820236a003020102020879ac5f8403a31b40300d06092a864886f70d01010b0500307e313d303b06035504030c344d6963726f736f66742054696d65205374616d7020526f6f7420436572746366696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232323031313231375a170d3234313232313031313231375a307e313d303b06035504030c344d6963726f736f66742054696d65205374616d7020526f6f7420436572746366696361746520417574686f726974792032303134311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100a7917e672f466a5837c231055a484a050464f83748799f379c2d2349b270868a78dbfc97551bffc5fce76c41b48bdcbd2cb3d6651600657701334aefaf16c0988d6e49fa9ccf6fea21bd04abf591583d4508451aa1c290ca1d11ba4fe15804ec42f5a8a4675570726a95420bbbc279439b8f14200f1ae5ab69ffa46ebade18bf0203010001a3543052300f0603551d130101ff040530030101ff303f0603551d110438303682344d6963726f736f66742054696d65205374616d7020526f6f7420436572746366696361746520417574686f726974792032303134300d06092a864886f70d01010b05000381810029c2b8ff8aa689591fbeec56a84073b071211446b5923d5f0412c60a222fcff7587ee8a010b3aed57b58fbb1d44a42c202e9d240b841556e0bb5cbe96c29dfc2bc882350ef0b28c7f68879e5122ce8415ed24aabcf38e9899400629bef8ee28fe5c178b756dda845fe13adca81f96611ad1eb767ce3d58edf586f2c9a364f22c	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4448	rundll32.exe
4448	rundll32.exe
1932	svchost.exe
1932	svchost.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe
1932	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1332	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4448	2780	62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe	84
PID 2780 wrote to memory of 4448	2780	62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe	84
PID 2780 wrote to memory of 4448	2780	62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe	84
PID 4448 wrote to memory of 1332	4448	rundll32.exe	91
PID 4448 wrote to memory of 1332	4448	rundll32.exe	91
PID 4448 wrote to memory of 1332	4448	rundll32.exe	91
PID 4448 wrote to memory of 4040	4448	rundll32.exe	92
PID 4448 wrote to memory of 4040	4448	rundll32.exe	92
PID 4448 wrote to memory of 4040	4448	rundll32.exe	92
PID 4448 wrote to memory of 4196	4448	rundll32.exe	94
PID 4448 wrote to memory of 4196	4448	rundll32.exe	94
PID 4448 wrote to memory of 4196	4448	rundll32.exe	94
PID 1932 wrote to memory of 940	1932	svchost.exe	100
PID 1932 wrote to memory of 940	1932	svchost.exe	100
PID 1932 wrote to memory of 940	1932	svchost.exe	100
PID 4448 wrote to memory of 4940	4448	rundll32.exe	101
PID 4448 wrote to memory of 4940	4448	rundll32.exe	101
PID 4448 wrote to memory of 4940	4448	rundll32.exe	101
PID 4448 wrote to memory of 1980	4448	rundll32.exe	103
PID 4448 wrote to memory of 1980	4448	rundll32.exe	103
PID 4448 wrote to memory of 1980	4448	rundll32.exe	103

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe
"C:\Users\Admin\AppData\Local\Temp\62a7a101409ff42ca3021cd461864cb4c13ec7c3785b6759841dae3bcb897a22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp",Ritwuoaoyiy
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4448
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18907
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 556
  2⤵
  - Program crash
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2780 -ip 2780
1⤵
PID:4420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\configuration\nppdf32.dll",TwxDNkxQMg==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\nppdf32.dll

Filesize
814KB

MD5
559b0bf4d0449a93271fabee29341761

SHA1
1b0ccf4b8c4d3142916df51cd3b6365517da12e8

SHA256
c104b10934809ca8a6bc132397ead846b0af051bdde9294cb4e3c2bc6f5f3622

SHA512
78133af58277c389a9f7dcee848628621b4020e106ef4b99991217177fb2891260044c640ab7733723e313c487c23742d70ee077272379bda5b06732a010b032

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\nppdf32.dll

Filesize
814KB

MD5
559b0bf4d0449a93271fabee29341761

SHA1
1b0ccf4b8c4d3142916df51cd3b6365517da12e8

SHA256
c104b10934809ca8a6bc132397ead846b0af051bdde9294cb4e3c2bc6f5f3622

SHA512
78133af58277c389a9f7dcee848628621b4020e106ef4b99991217177fb2891260044c640ab7733723e313c487c23742d70ee077272379bda5b06732a010b032

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\CiST0000.002

Filesize
64KB

MD5
3e4bb54c051fc02969e33f2aa7f3c802

SHA1
2ba3505713fd4b2f518c7e8690f76c39bec443d0

SHA256
6c3ae1e244b033fdcf5e1b2694a505614f7f994605b80881257042fa419cf035

SHA512
758dceef70a2839b6b3230fcd670dd5f4f6b9278cede9d4006fceb415afbd26e0b6bd01c5d39b8a2937e914a80d8d4fda547157c8d4ddce3c86b693f79a81f40

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
15KB

MD5
c73eeb9dedd94a612969e003260e6341

SHA1
0451277183bad12e3179c12c0a14694fab52bc8d

SHA256
1ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355

SHA512
d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\MicrosoftOffice2010Win32.xml

Filesize
71KB

MD5
b08a8c2f6941a1a12aa05180aec1dbb9

SHA1
c09f9207502aca3866b182d79221addcca76f4d1

SHA256
843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f

SHA512
8de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\MicrosoftOffice2016Win32.xml

Filesize
64KB

MD5
fb54ecf5bbc8554d4218fce2b5863f04

SHA1
5a43e92271d69b66f97c12d977c10bc78991f76f

SHA256
bc964a0306fbeca377d20bafd127425c0700ee293a2c5caf9b28285f1b1d75e5

SHA512
c13e3d7c8801b9a865952708af0fe4272e2034be0ebc40e94f4bdccd13b3075ef8d2b5ec8af68d51fe11d87ce84183275d031390aa00e6cefd02407a03436a40

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\Uyoiheuooe.tmp

Filesize
3.5MB

MD5
47e59ee97a2df9617c76376ed3d628ec

SHA1
e94718a947fd2c51914c46668979cee0574f7839

SHA256
59ea2549c3f043079f1dca222de3a0226d82c197fd160abd3cb840a311dbd762

SHA512
aeb4d8f19b2b138f847b5fe68f84c22815ea13a882948e400411eda3e3c74ffc8bbbc1b5055bed176a8ba884edba1e0bfc0f9fa3d7de503d6aa97372dab6f7f6

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\Uyoiheuooe.tmp

Filesize
3.5MB

MD5
47e59ee97a2df9617c76376ed3d628ec

SHA1
e94718a947fd2c51914c46668979cee0574f7839

SHA256
59ea2549c3f043079f1dca222de3a0226d82c197fd160abd3cb840a311dbd762

SHA512
aeb4d8f19b2b138f847b5fe68f84c22815ea13a882948e400411eda3e3c74ffc8bbbc1b5055bed176a8ba884edba1e0bfc0f9fa3d7de503d6aa97372dab6f7f6

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\netfol.ico

Filesize
28KB

MD5
3fa8c6dc1f72c3f9f8670a3e236459f2

SHA1
fcca30e9c5f861ac907150c76ca5f2174d214b7b

SHA256
dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7

SHA512
af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\pictures.ico

Filesize
81KB

MD5
8e3fed079e101c5dcb906371c2b546a3

SHA1
7fbf444c9361684228f643984f1333c271e86bf2

SHA256
b0203f1dc9e443dc5081b0f882934241645a5de4cc4b1e47b3460d17446a87d4

SHA512
898c825d9f20f3d20cb389328561ff70bd0c762dcc1369bd0bb633130aee9dcf60b433da66c3a37dd1d46a70614abd955a323589917ed85e0ec5698cdd0268c2

Download Submit
C:\ProgramData\{9C0BA6AF-75FB-72C6-BE9A-B167A4AE4026}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json

Filesize
121B

MD5
70bdaa5c409965a452e47aa001033c53

SHA1
594fad49def244b2a459ddd86bf1763e190917e3

SHA256
433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58

SHA512
62f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp

Filesize
814KB

MD5
f93876956e6e2f754c8be97ac269729d

SHA1
bf0eb05f31b4177e5e2fdeb203698d5018c8ee12

SHA256
226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a

SHA512
c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp

Filesize
814KB

MD5
f93876956e6e2f754c8be97ac269729d

SHA1
bf0eb05f31b4177e5e2fdeb203698d5018c8ee12

SHA256
226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a

SHA512
c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb

Download Submit
\??\c:\program files (x86)\windowspowershell\configuration\nppdf32.dll

Filesize
814KB

MD5
559b0bf4d0449a93271fabee29341761

SHA1
1b0ccf4b8c4d3142916df51cd3b6365517da12e8

SHA256
c104b10934809ca8a6bc132397ead846b0af051bdde9294cb4e3c2bc6f5f3622

SHA512
78133af58277c389a9f7dcee848628621b4020e106ef4b99991217177fb2891260044c640ab7733723e313c487c23742d70ee077272379bda5b06732a010b032

Download Submit
memory/940-170-0x00000000046B0000-0x0000000005207000-memory.dmp

Filesize
11.3MB

Download
memory/940-171-0x00000000046B0000-0x0000000005207000-memory.dmp

Filesize
11.3MB

Download
memory/1332-148-0x0000000000460000-0x00000000006FD000-memory.dmp

Filesize
2.6MB

Download
memory/1332-146-0x0000022DD81B0000-0x0000022DD82F0000-memory.dmp

Filesize
1.2MB

Download
memory/1332-149-0x0000022DD6760000-0x0000022DD6A0E000-memory.dmp

Filesize
2.7MB

Download
memory/1332-147-0x0000022DD81B0000-0x0000022DD82F0000-memory.dmp

Filesize
1.2MB

Download
memory/1932-156-0x00000000037D0000-0x0000000004327000-memory.dmp

Filesize
11.3MB

Download
memory/1932-168-0x00000000037D0000-0x0000000004327000-memory.dmp

Filesize
11.3MB

Download
memory/1932-173-0x00000000037D0000-0x0000000004327000-memory.dmp

Filesize
11.3MB

Download
memory/2780-137-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2780-136-0x0000000002330000-0x000000000245F000-memory.dmp

Filesize
1.2MB

Download
memory/2780-135-0x0000000000797000-0x0000000000883000-memory.dmp

Filesize
944KB

Download
memory/4448-142-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/4448-152-0x0000000004500000-0x0000000005057000-memory.dmp

Filesize
11.3MB

Download
memory/4448-144-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/4448-143-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/4448-141-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/4448-140-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/4448-139-0x0000000005120000-0x0000000005260000-memory.dmp

Filesize
1.2MB

Download
memory/4448-138-0x0000000004500000-0x0000000005057000-memory.dmp

Filesize
11.3MB

Download