Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2022, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe
-
Size
229KB
-
MD5
c8319250371b63dba3aa715ba1d942f5
-
SHA1
89b5f7790b6a393a4e645989049938da6a791ce0
-
SHA256
2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63
-
SHA512
0511c56aedb0dfe9c4bb8a96fa3f07cd174901d1240b880a459819f41d2eb54d381113d872801c39f19e37c3765f2d012a35461bea2fb1308340072acaa2c8d6
-
SSDEEP
3072:8Aw/1CLeTjtUpIyATSpWCwvC7RotTzXtAhu+oukzDV1vWBkOuRGK:o9CLIOpQupWjCOtT7tAIuk11vpjcK
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4696-133-0x0000000000460000-0x0000000000469000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 57 2120 rundll32.exe 63 2120 rundll32.exe 80 2120 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2792 EE0E.exe -
Loads dropped DLL 1 IoCs
pid Process 2120 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2120 set thread context of 4492 2120 rundll32.exe 92 -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\UnifiedShare.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\warning.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\createpdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1512 2792 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000097559c8c100054656d7000003a0009000400efbe6b557d6c97559c8c2e000000000000000000000000000000000000000000000000009fda4a00540065006d007000000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2708 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4696 2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe 4696 2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2708 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4696 2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeDebugPrivilege 2120 rundll32.exe Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found Token: SeShutdownPrivilege 2708 Process not Found Token: SeCreatePagefilePrivilege 2708 Process not Found -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 4492 rundll32.exe 2708 Process not Found 2708 Process not Found 2708 Process not Found 2708 Process not Found 2120 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2708 Process not Found 2708 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2792 2708 Process not Found 88 PID 2708 wrote to memory of 2792 2708 Process not Found 88 PID 2708 wrote to memory of 2792 2708 Process not Found 88 PID 2792 wrote to memory of 2120 2792 EE0E.exe 89 PID 2792 wrote to memory of 2120 2792 EE0E.exe 89 PID 2792 wrote to memory of 2120 2792 EE0E.exe 89 PID 2120 wrote to memory of 4492 2120 rundll32.exe 92 PID 2120 wrote to memory of 4492 2120 rundll32.exe 92 PID 2120 wrote to memory of 4492 2120 rundll32.exe 92 PID 2120 wrote to memory of 3628 2120 rundll32.exe 93 PID 2120 wrote to memory of 3628 2120 rundll32.exe 93 PID 2120 wrote to memory of 3628 2120 rundll32.exe 93 PID 2120 wrote to memory of 3432 2120 rundll32.exe 95 PID 2120 wrote to memory of 3432 2120 rundll32.exe 95 PID 2120 wrote to memory of 3432 2120 rundll32.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe"C:\Users\Admin\AppData\Local\Temp\2e6bea0f83ebe6b4a523b65774c5b256cecdd866dfa85497f7c7f52769906b63.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4696
-
C:\Users\Admin\AppData\Local\Temp\EE0E.exeC:\Users\Admin\AppData\Local\Temp\EE0E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Oyiesauffusw.tmp",Wuuitfqhpt2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2120 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 171033⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:3432
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 5282⤵
- Program crash
PID:1512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2792 -ip 27921⤵PID:3808
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD546ed908fd15d8ef90aac5aeab58c73b2
SHA1bf2e893778b82590f00fc0d20fd39486dfe32bc3
SHA25680fe8bd5a77f553a6f68750da9eab56175ee41a59aa48aa1d16cb05fe141db25
SHA5125ae75d9b3d93a0819a6386541722e5bb5c0851fe2b7e6e7c7c1741e943e370e71ae226a2691641e303e5babf9cb3fefe834989fd4642b8e30d3a50008c18b10a
-
Filesize
1.0MB
MD546ed908fd15d8ef90aac5aeab58c73b2
SHA1bf2e893778b82590f00fc0d20fd39486dfe32bc3
SHA25680fe8bd5a77f553a6f68750da9eab56175ee41a59aa48aa1d16cb05fe141db25
SHA5125ae75d9b3d93a0819a6386541722e5bb5c0851fe2b7e6e7c7c1741e943e370e71ae226a2691641e303e5babf9cb3fefe834989fd4642b8e30d3a50008c18b10a
-
Filesize
730KB
MD58d039a703875733043526555982e4e60
SHA1f583795e790e682db2feaa5f5b8d282216f581e2
SHA2565cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a
SHA5123e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e
-
Filesize
730KB
MD58d039a703875733043526555982e4e60
SHA1f583795e790e682db2feaa5f5b8d282216f581e2
SHA2565cb8e52b000f84494627db8e8e700e7731c9bfa2eb9e6a8a8280d2311327e81a
SHA5123e89ec3eb7e90aa93c0a3cc2d120521b1c2236a8a2169b2654fcc153f926b97e85267a177ef92f3ac3a7aa493a81a3a55c1b6b56ef8f8beb93b78bf3eb10373e