2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2022, 22:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b.exe
Size

1018KB
MD5

328c8b96d14f7d8fb30b241b050bc791
SHA1

f82d16266545f6c832e8de648d4a805db76cd0f0
SHA256

2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b
SHA512

d339ed6143a78a765a40d2bb509414c22040ed05821afac57d1ec75eca0277e892cd83162ac1c848ffddb55ffdcbd94ef4eef4cbe237967b94321df7a3cd2ae7
SSDEEP

24576:BA1aqFK3oGDLpbHDGIP/W5BSG+TG30RXj6QjTI:BUaDZKz8GAz

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
13	4736	rundll32.exe
14	4736	rundll32.exe
40	4736	rundll32.exe
42	4736	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AcroLayoutRecognizer\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\AcroLayoutRecognizer.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AcroLayoutRecognizer\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4736	rundll32.exe
4044	svchost.exe
3852	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 3448	4736	rundll32.exe	90

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\SaveAsRTF.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\COPYING.LGPLv2.1.txt	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Checkers.api	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\DarkTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\aic_file_icons.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\StorageConnectors.api	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\arh.exe	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Search.api	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\back-arrow-down.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AcroLayoutRecognizer.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\share.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\review_email.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\rename.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\review_shared.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Edit_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\A3DUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\CPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5068	4632	WerFault.exe	80

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4943B843C829B7402DD52A2E165D064C10169F1C	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4943B843C829B7402DD52A2E165D064C10169F1C\Blob = 0300000001000000140000004943b843c829b7402dd52a2e165d064c10169f1c20000000010000007a02000030820276308201dfa0030201020208295769d4769359a5300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c6f62616c20526f677420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313232363233313531375a170d3234313232353233313531375a30613120301e06035504030c17446967694365727420476c6f62616c20526f677420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100e3f38717c6a4edd81faddfea9342ca49c81816b56d8d77b4bb0e6b4f01a2cb9158f015f58366f459ef13da0f8d6cbef5abde87af840882f14cf90c8cb3d32d0ea6c2b62a9ef295a9b92275664231f1100ae6b482913c7c4a2eac2e9befd4b799c714ee113c8a6cd80877684734f3777312e3ff35ffff973b5c37d5592fc0913d0203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c6f62616c20526f6774204732300d06092a864886f70d01010b05000381810001bcf50b802ee3f07f044d5a21f4e0cda0d20be84ea62031efad9164ea9349f8b733197dcc9e4cd7b6ce8f77e5ca498cc688b4487e2c97713d82f38e1cd65b82396d90126fc34063ecbf12ec1e8f93528787f7ac1a058cdca401e5d8423a47fd39d844d45cfb48332dcfc6a77aa65c1c0334779acc8ac3f95b8df1b8ac7a90ef	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4044	svchost.exe
4044	svchost.exe
4736	rundll32.exe
4736	rundll32.exe
4736	rundll32.exe
4736	rundll32.exe
4736	rundll32.exe
4736	rundll32.exe
4736	rundll32.exe
4736	rundll32.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe
4044	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3448	rundll32.exe
4736	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4736	4632	2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b.exe	81
PID 4632 wrote to memory of 4736	4632	2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b.exe	81
PID 4632 wrote to memory of 4736	4632	2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b.exe	81
PID 4736 wrote to memory of 3448	4736	rundll32.exe	90
PID 4736 wrote to memory of 3448	4736	rundll32.exe	90
PID 4736 wrote to memory of 3448	4736	rundll32.exe	90
PID 4044 wrote to memory of 3852	4044	svchost.exe	94
PID 4044 wrote to memory of 3852	4044	svchost.exe	94
PID 4044 wrote to memory of 3852	4044	svchost.exe	94
PID 4736 wrote to memory of 928	4736	rundll32.exe	96
PID 4736 wrote to memory of 928	4736	rundll32.exe	96
PID 4736 wrote to memory of 928	4736	rundll32.exe	96
PID 4736 wrote to memory of 4652	4736	rundll32.exe	98
PID 4736 wrote to memory of 4652	4736	rundll32.exe	98
PID 4736 wrote to memory of 4652	4736	rundll32.exe	98

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b.exe
"C:\Users\Admin\AppData\Local\Temp\2b28b1b6f180b4b0945bbcc20ee2359a755d724a9dbdd6bd6fe3757e3c39c94b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4736
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14026
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 536
  2⤵
  - Program crash
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4632 -ip 4632
1⤵
PID:4220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\acrolayoutrecognizer.dll",dD42Vg==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\AcroLayoutRecognizer.dll

Filesize
792KB

MD5
d5fdbe09b699e7de6623546171db96c7

SHA1
be0e24fccf7f78bb07e3b7c9f29cc129b0123f4f

SHA256
179e2342f89c09a0e626e74bfb5be012ec756446310a0493c5843ae03a26ca8f

SHA512
12887a0fa40f84227e6fef0eb9733881d93698b37518651af504ee3c584b1c94f4133aaa742b304e2f7d4fbe46a4be62fdee83aaa06f48289249e33857cac9de

Download Submit
C:\Program Files (x86)\Google\Temp\AcroLayoutRecognizer.dll

Filesize
792KB

MD5
d5fdbe09b699e7de6623546171db96c7

SHA1
be0e24fccf7f78bb07e3b7c9f29cc129b0123f4f

SHA256
179e2342f89c09a0e626e74bfb5be012ec756446310a0493c5843ae03a26ca8f

SHA512
12887a0fa40f84227e6fef0eb9733881d93698b37518651af504ee3c584b1c94f4133aaa742b304e2f7d4fbe46a4be62fdee83aaa06f48289249e33857cac9de

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
158B

MD5
dd8778eda0b96d5d71716fbb50300293

SHA1
17b3a49fe039ef5c930801c3a77922b30a61ee69

SHA256
61e06f4deff92e80d1605cb17a0c83604ac6cdb72fb3d4b1e3d0eb7e7bbbf4a0

SHA512
4efee799ddfb3d98a6b402aebed2ec79cfbd1cab200bfad1f95af432b91ce11e0404cd1cdf9f5a46324757c135928cb0ce42197c3021ae506ac6dd047127491b

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
30KB

MD5
98de295b21abe2451f86b82df3be269a

SHA1
1665a23d307748e8c1c0164ba7939275f9fb676c

SHA256
fd3507cd60edf41093c8fe843d1601e33db9cbe1cd36247cec587c265109bcfa

SHA512
230ae283c81771496dcae9ef84787379712106738ea82754b101af9047ae27cadb8b1f4aed00d146a699c22fd1c505c31068418a70d2b535c85c3017726d91cc

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
29339534aae48a83c83c1d43a18125ab

SHA1
40d5bef1e1bdd0c854e50dd5aead3b850a79c32d

SHA256
dc77d9bcdfb4ecfd5038b56d71b480bf8b4a90a8f8fe0477e169fcab33b83d0d

SHA512
613e9072a87188cb4bf1faaf385c7e998154c4a846fc1949f3a0507e7e0e8a9c13b42744eeb58a246943ca5809ac5dddd55ee2e3dc3bda974cfa51d25a072cbf

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
29339534aae48a83c83c1d43a18125ab

SHA1
40d5bef1e1bdd0c854e50dd5aead3b850a79c32d

SHA256
dc77d9bcdfb4ecfd5038b56d71b480bf8b4a90a8f8fe0477e169fcab33b83d0d

SHA512
613e9072a87188cb4bf1faaf385c7e998154c4a846fc1949f3a0507e7e0e8a9c13b42744eeb58a246943ca5809ac5dddd55ee2e3dc3bda974cfa51d25a072cbf

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe.xml

Filesize
830B

MD5
05cd2b53b1d4a6dfec2c8e5bea828b91

SHA1
717e71c2e42f0a993d6a110c3b6c37e5560837ec

SHA256
225e46e9c3381e4935dc7c245ce3e3fec92d1a777b2af82c3aae05802d7420c7

SHA512
a6d69ed210136c098d7ead5b22d2317476fa1ad1690b52f9b1c3620d7b0e52a5adc4f90e18cf971af48bab3a9d8afd50d0d4536ab73faa288687bedc11a5d1e2

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
2KB

MD5
2ff808c347a1bd28f3df3bc8873d73d6

SHA1
afc3b29446a1e5ea641db1c5f1521b2f5c814581

SHA256
6d6bb6749a28b69f42fede441d1c84dbff9c3f69938e637eee4fc260d0c92301

SHA512
33c2861f5b1f0b87be1f7a5d59313d5977d284ba70a126541f2daed6297ac35cf11c4f43107148f05da7e4748f49b3e99335d4c2164ba04e0a4f17830afd1706

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
829B

MD5
87abe99363b16041e32b8a146eb53617

SHA1
b1f3f3c3939f2331dee213e480f4a4d0c753f72a

SHA256
7c8df7b34fca6387a15cbc0d6f591624a5a28bf513f71eb1077d55f1b448d856

SHA512
091ffae18e7cf41237b1039964cb4c3116275edfa34b198bbb9a0b258a99bf3b62b420fb22d747788a889f2306c30f0dc00566c432d4b2bb2e410a9e7dc69e44

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
15KB

MD5
c73eeb9dedd94a612969e003260e6341

SHA1
0451277183bad12e3179c12c0a14694fab52bc8d

SHA256
1ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355

SHA512
d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MicrosoftEdgeUpdate.log

Filesize
84KB

MD5
ace207b26c7eec1093af025cc57755ab

SHA1
96cd00ca09b272c1f67ffa692debf5d18ac157e9

SHA256
de7e015ecee7971276a15756c66935502aa9362d964926928a7b58db2590bf5e

SHA512
070f047857ac03f34bf9b1c60f7a0a3f300ec0aad76d0b52f55aaac5704110fc82af512547fcbc4750cb7bc09cad681f7db26639c853969058d34f696122ceff

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\RoamingCredentialSettings.xml

Filesize
3KB

MD5
a186bfcab0d099811bf38b4c09102755

SHA1
9aadb653c69a0009f39d187a76ba51c0869ff9f2

SHA256
88b885c0292640fbbde80bbe0764b23e4d9621b89b9077056c0e12bc2deb7e2f

SHA512
c0e7cc96ee60aa8abe6e9ddbb3eef76561ff332f32fcc1acc950fcd4a03e958eab40590bb5e6912771950c8110838831f265199b040934e1aa3e5224bd33443f

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\SettingsLocationTemplate2013A.xsd

Filesize
13KB

MD5
91452b27335b69acc128a8a841bfe405

SHA1
7d63c758a2d4d16ef4175637ed17d5ad2080a329

SHA256
ce07da21a959291739ec76f403576ef995d1bb29826b490184c2fe6a4e5c7b10

SHA512
ba5ff3e4e596e685ec3dff0951c298c76fd2240f774d0d01b80bce6ad5e234a208d0f775c0d2b30d0b9dfefb3e8bce173db4b1e77a9ca16251dde662a005163b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\acrolayoutrecognizer.dll

Filesize
792KB

MD5
d5fdbe09b699e7de6623546171db96c7

SHA1
be0e24fccf7f78bb07e3b7c9f29cc129b0123f4f

SHA256
179e2342f89c09a0e626e74bfb5be012ec756446310a0493c5843ae03a26ca8f

SHA512
12887a0fa40f84227e6fef0eb9733881d93698b37518651af504ee3c584b1c94f4133aaa742b304e2f7d4fbe46a4be62fdee83aaa06f48289249e33857cac9de

Download Submit
memory/3448-148-0x0000020485CD0000-0x0000020485E10000-memory.dmp

Filesize
1.2MB

Download
memory/3448-147-0x0000020485CD0000-0x0000020485E10000-memory.dmp

Filesize
1.2MB

Download
memory/3448-150-0x0000000000F30000-0x00000000011CC000-memory.dmp

Filesize
2.6MB

Download
memory/3448-151-0x0000020484280000-0x000002048452E000-memory.dmp

Filesize
2.7MB

Download
memory/3852-170-0x0000000005300000-0x0000000005E5D000-memory.dmp

Filesize
11.4MB

Download
memory/3852-169-0x0000000005300000-0x0000000005E5D000-memory.dmp

Filesize
11.4MB

Download
memory/4044-156-0x0000000004700000-0x000000000525D000-memory.dmp

Filesize
11.4MB

Download
memory/4044-173-0x0000000004700000-0x000000000525D000-memory.dmp

Filesize
11.4MB

Download
memory/4632-137-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4632-136-0x00000000024C0000-0x00000000025D1000-memory.dmp

Filesize
1.1MB

Download
memory/4632-135-0x0000000002302000-0x00000000023D8000-memory.dmp

Filesize
856KB

Download
memory/4736-142-0x0000000005D50000-0x0000000005E90000-memory.dmp

Filesize
1.2MB

Download
memory/4736-152-0x0000000005130000-0x0000000005C8D000-memory.dmp

Filesize
11.4MB

Download
memory/4736-149-0x0000000005DC9000-0x0000000005DCB000-memory.dmp

Filesize
8KB

Download
memory/4736-144-0x0000000005D50000-0x0000000005E90000-memory.dmp

Filesize
1.2MB

Download
memory/4736-145-0x0000000005D50000-0x0000000005E90000-memory.dmp

Filesize
1.2MB

Download
memory/4736-143-0x0000000005D50000-0x0000000005E90000-memory.dmp

Filesize
1.2MB

Download
memory/4736-140-0x0000000005D50000-0x0000000005E90000-memory.dmp

Filesize
1.2MB

Download
memory/4736-141-0x0000000005D50000-0x0000000005E90000-memory.dmp

Filesize
1.2MB

Download
memory/4736-139-0x0000000005130000-0x0000000005C8D000-memory.dmp

Filesize
11.4MB

Download
memory/4736-138-0x0000000005130000-0x0000000005C8D000-memory.dmp

Filesize
11.4MB

Download