88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2022, 10:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970.exe
Size

1022KB
MD5

8e1fa9f186fde8e12741505d3a4bc629
SHA1

230996e3245dfa7a3352a1003defee1f096bf889
SHA256

88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970
SHA512

42762e72cdd4e694468166df618d82a9cc7212382b7718291142b3d6dc394faceb881287a7a0fe0aeeeb6972f611f47a627eee7b938df2086838ede740a9b423
SSDEEP

24576:qYwPrOk3w1f0CxRWo+hQcGv9t4Cke4QZAzFoV6Ui:7wPrOGwF0cgojHvD4c4QZSW

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
15	4760	rundll32.exe
16	4760	rundll32.exe
94	4760	rundll32.exe
96	4760	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\stop_collection_data.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4760	rundll32.exe
2804	svchost.exe
4364	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 1984	4760	rundll32.exe	90

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\fillandsign.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\init.js	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\review_browser.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Compare_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ccme_ecc.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\fillandsign.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\BIBUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\CPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\stop_collection_data.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\create_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\turnOnNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\stop_collection_data.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4632	2148	WerFault.exe	80

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AC21E2FBA0FF162CD285DE1A7A452D37C11340E9	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AC21E2FBA0FF162CD285DE1A7A452D37C11340E9\Blob = 030000000100000014000000ac21e2fba0ff162cd285de1a7a452d37c11340e920000000010000003f0200003082023b308201a4a003020102020870b0b5a0406b36d8300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f6f7420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3230313232363131323233305a170d3234313232353131323233305a30433121301f06035504030c184d6963726f736f6f7420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100c9d95eedd9add89f4c7fb9a5c7d29257c48034beaf35d52f26cc897ea73729e77e5464a3cbaea7305ab54398c2e092b1dafee5141c7d106ae50a677a0f488d8dfc52e44a855636fa7332288e1f0fe109bfd09e5a68d478d12b8b1d77491e84f221a0955df6abea2184c14d61308aa02682bf1a224bd5e065a6457be2c594a57d0203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f6f7420526f6f7420417574686f72697479300d06092a864886f70d01010b0500038181002d0f20588894926f56b92719195e1b695da8250c1bb396a732f2fc48e4acfcfe83050aa5559a1c34f9eb258eb788d7896163208d10989255d66ff7efd616491c1afdab286f6949bab18fae66d134bbeba2b5ba1b533c6728cfcba59ee3bc59487e7b97c172972b1b8e0c97c197fc52618f05fcceea015695ae132c7ce0722fd4	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2804	svchost.exe
2804	svchost.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1984	rundll32.exe
4760	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4760	2148	88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970.exe	81
PID 2148 wrote to memory of 4760	2148	88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970.exe	81
PID 2148 wrote to memory of 4760	2148	88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970.exe	81
PID 4760 wrote to memory of 1984	4760	rundll32.exe	90
PID 4760 wrote to memory of 1984	4760	rundll32.exe	90
PID 4760 wrote to memory of 1984	4760	rundll32.exe	90
PID 2804 wrote to memory of 4364	2804	svchost.exe	94
PID 2804 wrote to memory of 4364	2804	svchost.exe	94
PID 2804 wrote to memory of 4364	2804	svchost.exe	94
PID 4760 wrote to memory of 3684	4760	rundll32.exe	96
PID 4760 wrote to memory of 3684	4760	rundll32.exe	96
PID 4760 wrote to memory of 3684	4760	rundll32.exe	96
PID 4760 wrote to memory of 3472	4760	rundll32.exe	98
PID 4760 wrote to memory of 3472	4760	rundll32.exe	98
PID 4760 wrote to memory of 3472	4760	rundll32.exe	98

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970.exe
"C:\Users\Admin\AppData\Local\Temp\88dde4d981cff40f7df3f21b095e8714ae6805e34db8fcc5e4de3e6ed3348970.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4760
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14005
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 528
  2⤵
  - Program crash
  PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2148 -ip 2148
1⤵
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\stop_collection_data.dll",ZlEVRG01dW4=
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\stop_collection_data.dll

Filesize
792KB

MD5
4fb5757d0091022735221f9e0db262d8

SHA1
6ba9817d50b0e3066728aa054a3d28d8df257e13

SHA256
d0395f67702ee218dd060094f36d3b5566115314023ec952fa506572fbbb3e96

SHA512
2cf7b9e45509a25d38bda4ecc9ee224f4f23b2e3ee5919ac8923b982012f7a0e236494730cc7d397762d6686f8722e9fe0dc8c9fcadd6768645352b2a9c8d486

Download Submit
C:\Program Files (x86)\Google\Temp\stop_collection_data.dll

Filesize
792KB

MD5
4fb5757d0091022735221f9e0db262d8

SHA1
6ba9817d50b0e3066728aa054a3d28d8df257e13

SHA256
d0395f67702ee218dd060094f36d3b5566115314023ec952fa506572fbbb3e96

SHA512
2cf7b9e45509a25d38bda4ecc9ee224f4f23b2e3ee5919ac8923b982012f7a0e236494730cc7d397762d6686f8722e9fe0dc8c9fcadd6768645352b2a9c8d486

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\C2RManifest.osmuxmui.msi.16.en-us.xml

Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\DeploymentConfig.2.xml

Filesize
1KB

MD5
3793544370ec1fddcf5ba6ae099f2538

SHA1
c784c5d8d1c496ab7ba1150782d20cba67b76321

SHA256
87975551187040cc2505a12ac285c042b8e70921a55808ecf982c7cd37df0ae2

SHA512
debdde56e6e087ff04863490223229d37828e348f7630d6c33aae1f113cce4be75f1420c593268ef5f5bd3026dccb062015781ba83dcaffa2b9bb37b55efc319

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
1e9a5efecd8ad1d41b4f58046f71d3d5

SHA1
10d41172bb9d9879fc33e5f0d9beb47636dcf289

SHA256
3bc250c43a9e76b8e909f70606cd24ecfeb1780987408338c3a366cd268f8be5

SHA512
0fdef9e5e107bff5233d79300623230a3810acbaad904756ab6966c47c2970c36596c26933eea6de39ec1f952d70dbc12da42702ec5bcdf006b6609f1c0fd685

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
29KB

MD5
0edf0ff4a8a9986d080992dd07e8a177

SHA1
bd58bb41baf5418a8ffaa8f75fb8fe412cf012a8

SHA256
7117f778c590d79b5a434edaa09448f23332d1db26676db2c9463b0d2c2ddfb6

SHA512
faa4c4fe982301ba2f5f2e239889c964bdb9f70b3939516e480987067a2b6482f6803bc06a514e6aac407be1306534b216dc2a801027722e985d1a2f41c01704

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
26KB

MD5
26b4cb86e7313855e188214dfee0abe4

SHA1
c4488e4c3c91bb6bd49cc3e68d9fce83c59f8422

SHA256
d182821a1030c629318d6e379cba49ac00db7a2b6aab70a3d245f7418ef490bc

SHA512
78dd7247c0fd372bc146562f46dd453aaa9fc3e4a49fb669240f76bd90249534bf6ca660058bf854eb4c05170a2e2ddabc0813223b61f09f0673fb3939f6f2b1

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MicrosoftEdgeUpdate.log

Filesize
90KB

MD5
4a3dfa97bca6afab1b03b3338e1080fb

SHA1
3ec3a3d5eaa9c184ecd8b5ecc206e67c5ecb77b8

SHA256
4a34ab4c457ba5652c5b2f99ae5b35ed830c1cb35082f2cd48fcfd9ec5d5cf93

SHA512
df80dc86c5ea63dc1ae448d6a8d6933b835243ed014c46a21f676b072bbe73d6f4f5ff3d3d5edbdb8b04d27473a2bbb110d6be43c2f2e6c7e5e339a838e0a8ee

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\osver.txt

Filesize
10B

MD5
bea59a2f25178d677087edde21c60be7

SHA1
56844a00adee7f8d2c161808de19ce6fd191fb61

SHA256
4906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80

SHA512
008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\resource.xml

Filesize
1KB

MD5
9e3d2d6830eba41e31e8558da30ddccd

SHA1
f5fbe0dfef87a30a9898cd6e1e7691c7dd9a9b99

SHA256
50ce5d2f9497955246143e7bb7d7584f221c15574a910c7cc11af87537711d25

SHA512
d1f3774e8c2bdfb6acbb8b9429f59fce5048b5adc4ddc7ecacf7bf52862715db35aee04884a24a8e329e8d10aa5fd06cac5360aad9dd296582453fadadf4d7ee

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\superbar.png

Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\tasks.xml

Filesize
10KB

MD5
c949974e2fc5c8909c2efafb92f7640d

SHA1
ec68489a4a4fa022e5b60901f7221d733365a9c9

SHA256
1131721b6f906cedebbcefe223725ae0f5c7ad0a96219eabaa49dc8d38cedf40

SHA512
8fc8e3cdcb66ec98962d0f888f0abe90e1a18db09144e00494dda9f56eaf7ed623e0ee13efd8a29fbf72c7094bbc9f489baf2d54e8170bb4b04d5363ec354362

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\utc.tracing.json.bk

Filesize
28B

MD5
6c7e84cb1a40e1e6a5cfe37e2ceaad04

SHA1
a2781444bb3c55196292df729b01be707ec1953a

SHA256
c6bf69533d3fc2c00d2e601726411163cae0e6cb168662eb6a58b492a25b042c

SHA512
97c9bc007beda6e6ea9c9aeea3f4033fe77304d5417a9f9f97ede9ed168f7259053f5861227a3a7eaa4859d1d1a7898705b0f8aae9527b4b607ab205e3b6e9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\stop_collection_data.dll

Filesize
792KB

MD5
4fb5757d0091022735221f9e0db262d8

SHA1
6ba9817d50b0e3066728aa054a3d28d8df257e13

SHA256
d0395f67702ee218dd060094f36d3b5566115314023ec952fa506572fbbb3e96

SHA512
2cf7b9e45509a25d38bda4ecc9ee224f4f23b2e3ee5919ac8923b982012f7a0e236494730cc7d397762d6686f8722e9fe0dc8c9fcadd6768645352b2a9c8d486

Download Submit
memory/1984-147-0x0000019058520000-0x0000019058660000-memory.dmp

Filesize
1.2MB

Download
memory/1984-149-0x0000019058520000-0x0000019058660000-memory.dmp

Filesize
1.2MB

Download
memory/1984-151-0x0000019056AD0000-0x0000019056D7E000-memory.dmp

Filesize
2.7MB

Download
memory/1984-150-0x00000000007E0000-0x0000000000A7C000-memory.dmp

Filesize
2.6MB

Download
memory/1984-152-0x0000019056AD0000-0x0000019056D7E000-memory.dmp

Filesize
2.7MB

Download
memory/2148-132-0x00000000021EF000-0x00000000022C5000-memory.dmp

Filesize
856KB

Download
memory/2148-135-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2148-134-0x0000000002380000-0x0000000002491000-memory.dmp

Filesize
1.1MB

Download
memory/2804-175-0x00000000046F0000-0x000000000524D000-memory.dmp

Filesize
11.4MB

Download
memory/2804-157-0x00000000046F0000-0x000000000524D000-memory.dmp

Filesize
11.4MB

Download
memory/2804-158-0x00000000046F0000-0x000000000524D000-memory.dmp

Filesize
11.4MB

Download
memory/4364-172-0x00000000048E0000-0x000000000543D000-memory.dmp

Filesize
11.4MB

Download
memory/4364-171-0x00000000048E0000-0x000000000543D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-148-0x00000000049D9000-0x00000000049DB000-memory.dmp

Filesize
8KB

Download
memory/4760-143-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-142-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-141-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-145-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-138-0x0000000004FC0000-0x0000000005B1D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-144-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/4760-139-0x0000000004FC0000-0x0000000005B1D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-153-0x0000000004FC0000-0x0000000005B1D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-140-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download