6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2022, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e893653c7423df0539e52768c35e717.exe
Size

1021KB
MD5

6e893653c7423df0539e52768c35e717
SHA1

8491cab5811f09638e146e1dc4526c0e9effca43
SHA256

6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a
SHA512

496a2ccd996772c69cc8b28e9042f861df29109b47b26c166a52f59a4bece780c7efa5367618785672f378ae11fa6e8939cf0633bd17035c11284dce61bb16ba
SSDEEP

24576:TH0/iZ6LO8xC3k0IuHmzfXLunDAQOWIhafNnKDP2:D0/DvDruUigWi

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
11	4760	rundll32.exe
12	4760	rundll32.exe
42	4760	rundll32.exe
44	4760	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\Edit_R_Exp_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4760	rundll32.exe
5092	svchost.exe
764	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 5076	4760	rundll32.exe	89

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AcroSup64.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\stop_collection_data.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGL.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Edit_R_Exp_RHP..dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ccme_ecc.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\base_uris.js	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\info.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\libEGL.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\back-arrow-default.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\back-arrow-down.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\index.html	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\IA32.api	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4496	4424	WerFault.exe	78

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26B56BF16DF7E3ECCB6B3EF1B71904025C768C02	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26B56BF16DF7E3ECCB6B3EF1B71904025C768C02\Blob = 03000000010000001400000026b56bf16df7e3eccb6b3ef1b71904025c768c022000000001000000610200003082025d308201c6a00302010202086f3d6041369ad41d300d06092a864886f70d01010b05003057311b301906035504030c12476c6f62696c5369676e20526f6f742043413110300e060355040b0c07526f6f7420434131193017060355040a0c10476c6f62616c5369676e206e762d7361310b3009060355040613024245301e170d3230313232363138303631365a170d3234313232353138303631365a3057311b301906035504030c12476c6f62696c5369676e20526f6f742043413110300e060355040b0c07526f6f7420434131193017060355040a0c10476c6f62616c5369676e206e762d7361310b300906035504061302424530819f300d06092a864886f70d010101050003818d0030818902818100d29e771f9fc876a504957aff12f8dee1c797f979bb3acea8dd8b6ef17cad26703994a604aad1882f392a5e27cb807b4c5aa8e9277fd4243b3d48dd2c0b1fcc142f46c288ac61062ab5bde8fe115cb874b2950b8b294fa47001ea5d39fc126d979a713bcad9ce608eb53ae877f6fcc24c7aa618e17866cc13eaddf2624c0896b50203010001a3323030300f0603551d130101ff040530030101ff301d0603551d11041630148212476c6f62696c5369676e20526f6f74204341300d06092a864886f70d01010b050003818100687a88a979d5bf98c99d6fe361476045987589fb79e45b190397d58a009310e1a03457c75e0d77efde62ee0b3b7b8b2b88b2a6811e080233761a6d1f385fe1ce13679e259aee8c5a482b7fc6f0eb8ee833308af89ad24df11fbb3d93abd3deb8b591f26367b090a9463da3787cb4edd1fa0f478b58441e3f16ab8173fbb6af7f	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5092	svchost.exe
5092	svchost.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
4760	rundll32.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe
5092	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5076	rundll32.exe
4760	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4760	4424	6e893653c7423df0539e52768c35e717.exe	81
PID 4424 wrote to memory of 4760	4424	6e893653c7423df0539e52768c35e717.exe	81
PID 4424 wrote to memory of 4760	4424	6e893653c7423df0539e52768c35e717.exe	81
PID 4760 wrote to memory of 5076	4760	rundll32.exe	89
PID 4760 wrote to memory of 5076	4760	rundll32.exe	89
PID 4760 wrote to memory of 5076	4760	rundll32.exe	89
PID 5092 wrote to memory of 764	5092	svchost.exe	93
PID 5092 wrote to memory of 764	5092	svchost.exe	93
PID 5092 wrote to memory of 764	5092	svchost.exe	93
PID 4760 wrote to memory of 2720	4760	rundll32.exe	95
PID 4760 wrote to memory of 2720	4760	rundll32.exe	95
PID 4760 wrote to memory of 2720	4760	rundll32.exe	95
PID 4760 wrote to memory of 4260	4760	rundll32.exe	97
PID 4760 wrote to memory of 4260	4760	rundll32.exe	97
PID 4760 wrote to memory of 4260	4760	rundll32.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6e893653c7423df0539e52768c35e717.exe
"C:\Users\Admin\AppData\Local\Temp\6e893653c7423df0539e52768c35e717.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4760
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14020
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:5076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 556
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4424 -ip 4424
1⤵
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\edit_r_exp_rhp..dll",lENRN0k=
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\Edit_R_Exp_RHP..dll

Filesize
792KB

MD5
d77a3c60f0b2518a9caaa80c97786310

SHA1
83704aca57927e36f6499d58a36314425648a196

SHA256
1a9fb326adddff58559806c701604078e53da1ad15b25a09d19f3d8f216e6c7d

SHA512
85942cfc7f08db98c851d13066a93a4c5fa0e883cacdd2d91c229978e78d6592e5fa3da164aea12e35a16c23d3ff78b4b395eec24402b68c35e9bc12fbe2c018

Download Submit
C:\Program Files (x86)\Google\Temp\Edit_R_Exp_RHP..dll

Filesize
792KB

MD5
d77a3c60f0b2518a9caaa80c97786310

SHA1
83704aca57927e36f6499d58a36314425648a196

SHA256
1a9fb326adddff58559806c701604078e53da1ad15b25a09d19f3d8f216e6c7d

SHA512
85942cfc7f08db98c851d13066a93a4c5fa0e883cacdd2d91c229978e78d6592e5fa3da164aea12e35a16c23d3ff78b4b395eec24402b68c35e9bc12fbe2c018

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\CiST0000.001

Filesize
64KB

MD5
efca15e60890fe74b53b0c415cf8fc68

SHA1
f8d3d29a242101a144f9b6ea4923af3556f5774b

SHA256
c4b27062149c30ffc466027919cc6881c6d25c00a8bcb8ec9bc0a570b8b3dab6

SHA512
5d58a06f6d97d092c6b7811318a9182190d6ce397bb473ade6e8747592dccdd8e406dd7bc54591f670e004e1a55d7c6687222c5773172d6dadc5e82dfc18d128

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml

Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
60a166514d47285f53fedcf3e3c4ba2b

SHA1
e48c181980c3b32c7cf0cc3435ac5417d160414f

SHA256
99216f40f93b9937d85f13880f67eec0183185b9d69ab4a7ebec9489fedfa3c1

SHA512
040462478e24528053919c7e0d6548dc3fbff5c19826d10a7847d065aa8f49edcd965841aca5333e6ed7df0527d984483703e278b917b525efb0197ca0654de8

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
13KB

MD5
c7405e2e68aec89e44862595ccc0d186

SHA1
2cc8d73f93dd875134917795633bb606911f1069

SHA256
9a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37

SHA512
0cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
820B

MD5
a8664f5906d9060a0a87bc01e35179bb

SHA1
1bbbc9f10431d2941805907a8a6d4009f4e2938c

SHA256
a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309

SHA512
389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
820B

MD5
09eb72768015735e81d549d7a5087631

SHA1
0dc0de9d9f1f94a73b760e13dbfb033d58b2962c

SHA256
803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8

SHA512
240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
855B

MD5
7ec956334fec33862a86ae1d3db724f5

SHA1
009ef40b310d0068ec42c3ec85a424a147e9e712

SHA256
c861b14bdbc003a3029af12487b4b01b9e3ece914afc6029b4cf59eb3156e3d7

SHA512
ba478d4138c56b6a5e89a0daa58234a2c872e39684c946711b0fc972e63a91ab97bbb5e8300e03094e8fc243f8bf39e1931162bf95762142998428faf69c2af9

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MicrosoftOffice2016BackupWin64.xml

Filesize
12KB

MD5
2d995c7aa8d041ffa18821c898bc2cb7

SHA1
f16ef806d79bffeec76f27102bd8e1273a0f3747

SHA256
614e99dbea133397b0b4ee8a222df8502f8f782fbcdd44651793c1c894281948

SHA512
81dcbfa24e216bf2a06379ca7d830bd6e16b58c16cd595704903a636f770eb70ca2146ec682559b48e9ff2518cbf3e1ed693050938a9a2b2e478eba6b86959e6

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\SmsInterceptStore.db

Filesize
192KB

MD5
4d0e5372be969ef8273a997c765f33aa

SHA1
06e9d80432b6a5c61cf81ca46d358ad5f01e45d6

SHA256
3943fc4037e38355edb92fc186f3b7b8d56eceb7edddecf016a2c971e79cfa3c

SHA512
457186c11c6b3affde2bab45b809e930b887c4d3e3e85fec1cf0390429b7f645cfef5b00d82bc2cf6507c21078f1f5ad688a6058724270262411f2a00eb68912

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\edbtmp.log

Filesize
64KB

MD5
5d72fc2d8115bba19c4044c03dad536c

SHA1
c48301758485274df5a8406c0d91b20bf8b77c50

SHA256
754da3b9dbaefc4c07e2b583fcf5a195aae663599bc3acdf6343b7c146248b87

SHA512
301e0eeaade0dbeb0d2f26aa405593e53b3d4c688d535e0f07f80d87fa15cf8dc18e436bbfe21dfe819c1052a9ea2d89eed85dbbdbe896b3d8d314b0ffe052d8

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\resource.xml

Filesize
1KB

MD5
1d3eb6efb2054c0f8c6dfcc90af00e4e

SHA1
452b9ea9cfbf42179a4e344e38ebad3a7179ead7

SHA256
8fe6157bec03efbc921905d0df8f6f9f4432323f1244fc380ea404d5d0e2c95e

SHA512
a0aefd1bf5bc0b275fbba3af7d06c672d82f3c7b40046f3f11515c6f3467f704d668985816f31f97a64e16c8c1112d78ea1f277e9001a3ef4d65df626544fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\edit_r_exp_rhp..dll

Filesize
792KB

MD5
d77a3c60f0b2518a9caaa80c97786310

SHA1
83704aca57927e36f6499d58a36314425648a196

SHA256
1a9fb326adddff58559806c701604078e53da1ad15b25a09d19f3d8f216e6c7d

SHA512
85942cfc7f08db98c851d13066a93a4c5fa0e883cacdd2d91c229978e78d6592e5fa3da164aea12e35a16c23d3ff78b4b395eec24402b68c35e9bc12fbe2c018

Download Submit
memory/764-172-0x0000000004610000-0x000000000516D000-memory.dmp

Filesize
11.4MB

Download
memory/764-171-0x0000000004610000-0x000000000516D000-memory.dmp

Filesize
11.4MB

Download
memory/4424-137-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4424-134-0x0000000002365000-0x000000000243B000-memory.dmp

Filesize
856KB

Download
memory/4424-136-0x0000000002490000-0x00000000025A1000-memory.dmp

Filesize
1.1MB

Download
memory/4760-142-0x00000000045E0000-0x0000000004720000-memory.dmp

Filesize
1.2MB

Download
memory/4760-144-0x00000000045E0000-0x0000000004720000-memory.dmp

Filesize
1.2MB

Download
memory/4760-143-0x00000000045E0000-0x0000000004720000-memory.dmp

Filesize
1.2MB

Download
memory/4760-148-0x0000000004659000-0x000000000465B000-memory.dmp

Filesize
8KB

Download
memory/4760-141-0x00000000045E0000-0x0000000004720000-memory.dmp

Filesize
1.2MB

Download
memory/4760-140-0x00000000045E0000-0x0000000004720000-memory.dmp

Filesize
1.2MB

Download
memory/4760-138-0x0000000004C40000-0x000000000579D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-139-0x0000000004C40000-0x000000000579D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-152-0x0000000004C40000-0x000000000579D000-memory.dmp

Filesize
11.4MB

Download
memory/4760-145-0x00000000045E0000-0x0000000004720000-memory.dmp

Filesize
1.2MB

Download
memory/5076-149-0x000001E60AD50000-0x000001E60AE90000-memory.dmp

Filesize
1.2MB

Download
memory/5076-150-0x0000000000A60000-0x0000000000CFC000-memory.dmp

Filesize
2.6MB

Download
memory/5076-151-0x000001E60AED0000-0x000001E60B17E000-memory.dmp

Filesize
2.7MB

Download
memory/5076-147-0x000001E60AD50000-0x000001E60AE90000-memory.dmp

Filesize
1.2MB

Download
memory/5092-168-0x0000000003A90000-0x00000000045ED000-memory.dmp

Filesize
11.4MB

Download
memory/5092-156-0x0000000003A90000-0x00000000045ED000-memory.dmp

Filesize
11.4MB

Download
memory/5092-175-0x0000000003A90000-0x00000000045ED000-memory.dmp

Filesize
11.4MB

Download