aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2022, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db.exe
Size

1.0MB
MD5

12647c0c708103e8c39932012363a82c
SHA1

c24e05fcf0f95e5d30c101ca50b51c467d1746d4
SHA256

aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db
SHA512

d9dc853f5888fcdd9a6e6bd2cae0e797cbe4d45b64fbd705096246d252cc622483b30495930028ce9247bba4b847b867cef37c2f72ec62726da0377aef3207f4
SSDEEP

24576:Vjq2HQycQa59kmcpF/E3frX3PYZ/9Tbx1o1vbCTgZ8xaNPyrc:V2Krb+9bwEP7PuTbGbZZ8xcPyr

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	4624	rundll32.exe
10	4624	rundll32.exe
40	4624	rundll32.exe
42	4624	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_Full.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\EPDF_Full..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EPDF_Full.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4624	rundll32.exe
1784	svchost.exe
3104	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4624 set thread context of 1620	4624	rundll32.exe	89

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\MoreTools.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\DropboxStorage.api	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\main.css	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\MyriadCAD.otf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\EPDF_Full..dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1872	2548	WerFault.exe	79

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C34FD786E79626311BD6938E737D4B2ECE0A7D11	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C34FD786E79626311BD6938E737D4B2ECE0A7D11\Blob = 030000000100000014000000c34fd786e79626311bd6938e737d4b2ece0a7d1120000000010000006a02000030820266308201cfa00302010202083203f311732311dd300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e74696372646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313232373039313730335a170d3234313232363039313730335a30503132303006035504030c294d6963726f736f66742041757468656e74696372646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a68bb52c90c8eedb02dde796218632fae9dcc35a7e63589865bb2a58a5bb298132f2c460894e37e3b82f4d3bfe77905394b13522e4f1b3c22712e23851fa93be7f83b9a6585984bfe4f82e6a72d857bdb99962bb277f09854ab0dbae99025e6022e8f570acd0b20f3eb6aff7faa889d3b062a1283a12440dc12b8fa3cba94f2f0203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e74696372646528746d2920526f6f7420417574686f72697479300d06092a864886f70d01010b050003818100305b4ac3a5ae1ca283d5de602d4c4ee48ade4af4ef2ee82327e223d0e92212e8c85522f275d5debe0c96f4611b56beaf850e661a604fa3d64d9fb57d2ba160884d8d49ab896729a34f85107da39a6a2170fe114eb3a90b63aa567636c1d41345cd17c5f7585f42fdcc7755fab7a48e25a4a3fee3df674aa759cb118816b92388	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1784	svchost.exe
1784	svchost.exe
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
4624	rundll32.exe
4624	rundll32.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1620	rundll32.exe
4624	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 4624	2548	aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db.exe	80
PID 2548 wrote to memory of 4624	2548	aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db.exe	80
PID 2548 wrote to memory of 4624	2548	aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db.exe	80
PID 4624 wrote to memory of 1620	4624	rundll32.exe	89
PID 4624 wrote to memory of 1620	4624	rundll32.exe	89
PID 4624 wrote to memory of 1620	4624	rundll32.exe	89
PID 1784 wrote to memory of 3104	1784	svchost.exe	93
PID 1784 wrote to memory of 3104	1784	svchost.exe	93
PID 1784 wrote to memory of 3104	1784	svchost.exe	93
PID 4624 wrote to memory of 4772	4624	rundll32.exe	95
PID 4624 wrote to memory of 4772	4624	rundll32.exe	95
PID 4624 wrote to memory of 4772	4624	rundll32.exe	95
PID 4624 wrote to memory of 4680	4624	rundll32.exe	97
PID 4624 wrote to memory of 4680	4624	rundll32.exe	97
PID 4624 wrote to memory of 4680	4624	rundll32.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db.exe
"C:\Users\Admin\AppData\Local\Temp\aa9b351364a17b75e893594097e0cd1f397f19f43ec85ae32156480a892896db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4624
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14020
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 536
  2⤵
  - Program crash
  PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2548 -ip 2548
1⤵
PID:4308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5104

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\epdf_full..dll",jmAuNk1xNA==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\EPDF_Full..dll

Filesize
792KB

MD5
807fcc03426b29134a163b0ebdfe67ae

SHA1
306be41bb56b80f9ed6522f6737197372267890b

SHA256
03fd7e315065ec98e95c8548a6aa0c4b380724d81238250625299f2ffc5c8cf3

SHA512
1ab0230e393531d9477b9217f6e0912075f3506ccdf340cf22050e5075cc33c602cde021d304ad6b7ccdbdad5503ef96cdebe389cf8d3cf0ae006acd0b5097d0

Download Submit
C:\Program Files (x86)\Google\Temp\EPDF_Full..dll

Filesize
792KB

MD5
807fcc03426b29134a163b0ebdfe67ae

SHA1
306be41bb56b80f9ed6522f6737197372267890b

SHA256
03fd7e315065ec98e95c8548a6aa0c4b380724d81238250625299f2ffc5c8cf3

SHA512
1ab0230e393531d9477b9217f6e0912075f3506ccdf340cf22050e5075cc33c602cde021d304ad6b7ccdbdad5503ef96cdebe389cf8d3cf0ae006acd0b5097d0

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
ef31b6b95e7e639bf408efda450b2baa

SHA1
6088f8c46b17a9d879c7fa412dac41eef6dfb459

SHA256
efc8780415ab40f377dd0d48f5406b4f7c03d5b4eda22617e73d7cf121b1d9a3

SHA512
24d2cc3c415da315c8595df388548bd26fed6c657c1d163515a220d0d5d8762b3c067be7da4240c51fd7ef4194c6352d6fe0cf196597591e1554f62c17b98e30

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
ef31b6b95e7e639bf408efda450b2baa

SHA1
6088f8c46b17a9d879c7fa412dac41eef6dfb459

SHA256
efc8780415ab40f377dd0d48f5406b4f7c03d5b4eda22617e73d7cf121b1d9a3

SHA512
24d2cc3c415da315c8595df388548bd26fed6c657c1d163515a220d0d5d8762b3c067be7da4240c51fd7ef4194c6352d6fe0cf196597591e1554f62c17b98e30

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
855B

MD5
7ec956334fec33862a86ae1d3db724f5

SHA1
009ef40b310d0068ec42c3ec85a424a147e9e712

SHA256
c861b14bdbc003a3029af12487b4b01b9e3ece914afc6029b4cf59eb3156e3d7

SHA512
ba478d4138c56b6a5e89a0daa58234a2c872e39684c946711b0fc972e63a91ab97bbb5e8300e03094e8fc243f8bf39e1931162bf95762142998428faf69c2af9

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
6KB

MD5
d218cf550fbd777e789242cafb804d10

SHA1
05175dd84f05a7989944e48db6a811c297fa47e3

SHA256
8143763940b906ea93cd7288a08f251203d9f21da5282a6c20201ea7530df8c4

SHA512
9134ace4de9b6bae58b161af4ede7ca9b24bd396c6b1e24ec8301ecb90278bc8b61d7600be7248b2f35acc49b83fcd627045f18c61ee57a2da0e19d61330261d

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml

Filesize
1KB

MD5
c1e304a57b77d96dbac8ca07849f9b86

SHA1
76a2051cdd63b97419d076ee3e0972c7b11ee10c

SHA256
28bf7f3525db4ecacb36705ff7d30bee209ff200a15178bae8a2f0f27f7058b8

SHA512
86b48ef3207a257799b9d9c0e23859391dd3c5984e30d4fa761bc8853bbcc8b37193ab4bdb95b7dd36906ebdd8ad83f29811d9c76675f93f261d9d0cf7a26662

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml

Filesize
3KB

MD5
2dd9bafcbda61d5d509e48086cd0a986

SHA1
821e66af11451535cdc249ec1493e5bca4d2cad2

SHA256
2da208b3e33831803c1b830244636ca3d6cbc54fdd7e4add03059795c169002e

SHA512
6f79656269570b309a5697b007245dff4983e6c20b9c3857ba1cc088ad4f7aec3b465e5fafc4f97b584cca88f6984ef90bbbdc499c20440f0f15da04ea79d528

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\behavior.xml

Filesize
1KB

MD5
6c23b0f54e5c427ff8f3db170b62616f

SHA1
44f1d0f71cbab0e05d9a563bf9e92759898ca4e9

SHA256
7cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b

SHA512
f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\edb.chk

Filesize
8KB

MD5
87889837ed5150597e6f471beef99e19

SHA1
81d13313b8f15b290bdb5c9e52cb001684f483a5

SHA256
54624ed030ed1ca8a9854ee2cfa6698b8c4db1072b7ef1a9710676252de29c92

SHA512
f3c57fb994d323776c4a075e0da047412146ea6f615c1964b3262bd9054709b0e20f01aa945fe4dcac87279521b49af03b324efbd6ae62ed31164995094f87f4

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\qmgr.jfm

Filesize
16KB

MD5
8582aae916e25376e53b9b71aa02e972

SHA1
52d722504fd69cc57114509b4f3e14318a359a61

SHA256
f9302d89799cd2ff21515495f18b66e827d17462ead043f7f47bdc7978c72897

SHA512
9d35e4e83f90f181eb46944915b273d50c9dfaad09193e787233be8a8614a8f4c835d3fbb82ec7150e5fc0f1598c826c0a058c2b9e4642a912068d196fc322d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\epdf_full..dll

Filesize
792KB

MD5
807fcc03426b29134a163b0ebdfe67ae

SHA1
306be41bb56b80f9ed6522f6737197372267890b

SHA256
03fd7e315065ec98e95c8548a6aa0c4b380724d81238250625299f2ffc5c8cf3

SHA512
1ab0230e393531d9477b9217f6e0912075f3506ccdf340cf22050e5075cc33c602cde021d304ad6b7ccdbdad5503ef96cdebe389cf8d3cf0ae006acd0b5097d0

Download Submit
memory/1620-148-0x000002581E4B0000-0x000002581E5F0000-memory.dmp

Filesize
1.2MB

Download
memory/1620-147-0x000002581E4B0000-0x000002581E5F0000-memory.dmp

Filesize
1.2MB

Download
memory/1620-150-0x00000000007A0000-0x0000000000A3C000-memory.dmp

Filesize
2.6MB

Download
memory/1620-151-0x000002581CBF0000-0x000002581CE9E000-memory.dmp

Filesize
2.7MB

Download
memory/1784-173-0x0000000003BC0000-0x000000000471D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-168-0x0000000003BC0000-0x000000000471D000-memory.dmp

Filesize
11.4MB

Download
memory/1784-156-0x0000000003BC0000-0x000000000471D000-memory.dmp

Filesize
11.4MB

Download
memory/2548-137-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2548-136-0x00000000023D0000-0x00000000024E1000-memory.dmp

Filesize
1.1MB

Download
memory/2548-135-0x0000000002295000-0x000000000236B000-memory.dmp

Filesize
856KB

Download
memory/3104-169-0x0000000005190000-0x0000000005CED000-memory.dmp

Filesize
11.4MB

Download
memory/3104-170-0x0000000005190000-0x0000000005CED000-memory.dmp

Filesize
11.4MB

Download
memory/4624-142-0x0000000004EC0000-0x0000000005000000-memory.dmp

Filesize
1.2MB

Download
memory/4624-152-0x00000000053E0000-0x0000000005F3D000-memory.dmp

Filesize
11.4MB

Download
memory/4624-149-0x0000000004F39000-0x0000000004F3B000-memory.dmp

Filesize
8KB

Download
memory/4624-145-0x0000000004EC0000-0x0000000005000000-memory.dmp

Filesize
1.2MB

Download
memory/4624-144-0x0000000004EC0000-0x0000000005000000-memory.dmp

Filesize
1.2MB

Download
memory/4624-143-0x0000000004EC0000-0x0000000005000000-memory.dmp

Filesize
1.2MB

Download
memory/4624-141-0x0000000004EC0000-0x0000000005000000-memory.dmp

Filesize
1.2MB

Download
memory/4624-140-0x0000000004EC0000-0x0000000005000000-memory.dmp

Filesize
1.2MB

Download
memory/4624-139-0x00000000053E0000-0x0000000005F3D000-memory.dmp

Filesize
11.4MB

Download
memory/4624-138-0x00000000053E0000-0x0000000005F3D000-memory.dmp

Filesize
11.4MB

Download