53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2022, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf.exe
Size

1021KB
MD5

c63663ff26907f52a05e95e289bf260e
SHA1

704b85ca4354761a824b4c98cd65e59a0f185a16
SHA256

53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf
SHA512

8ab8957a917734672d51d7596dbabdff43c65a5826e4a17fab8165ca84882fb3982ddb33a6bd398f3c804256953995dab4def08b90edafb423b057311e8ecfa5
SSDEEP

24576:pRhP55ZiAkX8/xRgKUqKWrwbYXXZq1i30:pRhxSAks/4KU8r2Os00

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	1152	rundll32.exe
8	1152	rundll32.exe
39	1152	rundll32.exe
41	1152	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\Combine_R_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Combine_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
1152	rundll32.exe
2248	svchost.exe
536	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 4916	1152	rundll32.exe	90

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Combine_R_RHP..dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\base_uris.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\createpdf.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Edit_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\PDFPrevHndlr.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\share.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\close_x.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\selection-actions2x.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\delete.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\SaveAsRTF.api	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\CPDF_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\LightTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\arh.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AGMGPUOptIn.ini	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4948	1960	WerFault.exe	79

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3EE4C74F9396BBE1368081BAEE3D32DC6C5B845D\Blob = 0300000001000000140000003ee4c74f9396bbe1368081baee3d32dc6c5b845d2000000001000000c5020000308202c13082022aa0030201020208664380d71f7a1535300d06092a864886f70d01010b0500307a3139303706035504030c304d6963726f736f66742045434320545320526f6f74204365727469666963617465204175746868726974792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313232383134313231385a170d3234313232373134313231385a307a3139303706035504030c304d6963726f736f66742045434320545320526f6f74204365727469666963617465204175746868726974792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100a949e12ad251e33b29ec2a9dd964f88ebf55a08768570ea6d7d931780a2c427ad92c2b4ac90007875447825ff991facf2a8a715897c5a57d7a1962ad9d707dccaf11a643cc45d86abaf3ad543f77d92050b82f3a83f0053514014fb59797872e6c8fc7da58c9812cda0c44fe276f8f3544f331dc8d908629a82c5479d1dc76750203010001a350304e300f0603551d130101ff040530030101ff303b0603551d110434303282304d6963726f736f66742045434320545320526f6f74204365727469666963617465204175746868726974792032303138300d06092a864886f70d01010b0500038181002363871c7c3c0057892f7346b4e8804145b478a910e1c12c0c0eb7592e604cad04a27ca623f3ebff67eddfca90395f9996988f2a8a1ae95cc3fbd97be4157e9bbe04161d7b0e59f2076dc24f9d3168d950d574e2908f9e4b41be3ef96dfc3495632588bdb610b58d4805b9fa6e7f913b84ebbc740cc1ef829efb99206df0609a	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3EE4C74F9396BBE1368081BAEE3D32DC6C5B845D	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1152	rundll32.exe
1152	rundll32.exe
2248	svchost.exe
2248	svchost.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
1152	rundll32.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1152	rundll32.exe
4916	rundll32.exe
1152	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1152	1960	53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf.exe	80
PID 1960 wrote to memory of 1152	1960	53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf.exe	80
PID 1960 wrote to memory of 1152	1960	53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf.exe	80
PID 1152 wrote to memory of 4916	1152	rundll32.exe	90
PID 1152 wrote to memory of 4916	1152	rundll32.exe	90
PID 1152 wrote to memory of 4916	1152	rundll32.exe	90
PID 1152 wrote to memory of 872	1152	rundll32.exe	91
PID 1152 wrote to memory of 872	1152	rundll32.exe	91
PID 1152 wrote to memory of 872	1152	rundll32.exe	91
PID 1152 wrote to memory of 4040	1152	rundll32.exe	94
PID 1152 wrote to memory of 4040	1152	rundll32.exe	94
PID 1152 wrote to memory of 4040	1152	rundll32.exe	94
PID 2248 wrote to memory of 536	2248	svchost.exe	98
PID 2248 wrote to memory of 536	2248	svchost.exe	98
PID 2248 wrote to memory of 536	2248	svchost.exe	98
PID 1152 wrote to memory of 1100	1152	rundll32.exe	100
PID 1152 wrote to memory of 1100	1152	rundll32.exe	100
PID 1152 wrote to memory of 1100	1152	rundll32.exe	100
PID 1152 wrote to memory of 4200	1152	rundll32.exe	102
PID 1152 wrote to memory of 4200	1152	rundll32.exe	102
PID 1152 wrote to memory of 4200	1152	rundll32.exe	102

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf.exe
"C:\Users\Admin\AppData\Local\Temp\53c69e4600cd2f632a0c5b33f7787e492f36f1e2ef0236b197e5bcf3269ef8bf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1152
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 13996
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 528
  2⤵
  - Program crash
  PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1960 -ip 1960
1⤵
PID:4920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\combine_r_rhp..dll",klc7
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\Combine_R_RHP..dll

Filesize
792KB

MD5
2afb2d45f68f5067790381b9a94c32fb

SHA1
30052113d12202ee069eddc2d237cc0bc4ccf93a

SHA256
b589a7ce2fb2d21b840ba4c49c0b50647b4c0c62ac59f53bbe1b1ca9e2676ad7

SHA512
23194e9224fe51af96258180175186ca31696c2be432693c3236af5375648edce6fb48bc31967f868622ec12db0d21d076187242d4f083123b06b164872453bf

Download Submit
C:\Program Files (x86)\Google\Temp\Combine_R_RHP..dll

Filesize
792KB

MD5
2afb2d45f68f5067790381b9a94c32fb

SHA1
30052113d12202ee069eddc2d237cc0bc4ccf93a

SHA256
b589a7ce2fb2d21b840ba4c49c0b50647b4c0c62ac59f53bbe1b1ca9e2676ad7

SHA512
23194e9224fe51af96258180175186ca31696c2be432693c3236af5375648edce6fb48bc31967f868622ec12db0d21d076187242d4f083123b06b164872453bf

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
50a33f3ee76c3f15703f82890efcc8c8

SHA1
b24e99bb702478edcbbda43f75457e5833abdc95

SHA256
77a2a4517a0c488c78bf9742e86de5af419d6c148346845d8b0f062d5f8a631a

SHA512
f14e224c1582476f09f969f1e29d5e2fa7855b22aa6b35682e264da0fc6cafdc1d62022dde5032206e1d973382604d9ccfa7495ebf90578a55c9c74bac1e606e

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
1556a1dc36d8cde607aa9411cfdc7d80

SHA1
dc3816b606996bebbaea00c04c58deab876233ad

SHA256
ac3667edc65b5236234f9f1e6abc134045efeb73b45188ceba0e8756e891d4f6

SHA512
6e720486872701c2be2a554d7515c5585521586059a41fc1507329c9ff9db1209103a75b8fc3094eb205d97010bef5fa7a04c67e4ba1a8c4507b7bb3a606a828

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
1556a1dc36d8cde607aa9411cfdc7d80

SHA1
dc3816b606996bebbaea00c04c58deab876233ad

SHA256
ac3667edc65b5236234f9f1e6abc134045efeb73b45188ceba0e8756e891d4f6

SHA512
6e720486872701c2be2a554d7515c5585521586059a41fc1507329c9ff9db1209103a75b8fc3094eb205d97010bef5fa7a04c67e4ba1a8c4507b7bb3a606a828

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
6KB

MD5
d218cf550fbd777e789242cafb804d10

SHA1
05175dd84f05a7989944e48db6a811c297fa47e3

SHA256
8143763940b906ea93cd7288a08f251203d9f21da5282a6c20201ea7530df8c4

SHA512
9134ace4de9b6bae58b161af4ede7ca9b24bd396c6b1e24ec8301ecb90278bc8b61d7600be7248b2f35acc49b83fcd627045f18c61ee57a2da0e19d61330261d

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MicrosoftNotepad.xml

Filesize
957B

MD5
06f405331f1f99bd455f4afa7b8ee0cc

SHA1
815d8d81c01208aef4bc1a0048b2d4f4171b26f6

SHA256
b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790

SHA512
a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\qmgr.db

Filesize
768KB

MD5
cfd8bc1980899dfc1055a186293bdc06

SHA1
bf4e88bd2ca2c55725a8268fe05798faa83ee53b

SHA256
dec3a3edaa6ee1b8c7f590e7047fb77558a2ecc07c59ce27d65c8496ba9d6be4

SHA512
71debd30152c40ce4add8b38396266db97581a2f5c77df70ba901419afe3aba1120c9aa2332d4f8c984d1392b1ba4b60ec10f63022e1e61aded0ec93c78f3ca3

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\user.png

Filesize
5KB

MD5
d7ee4543371744836d520e0ce24a9ee6

SHA1
a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

SHA256
98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

SHA512
e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\combine_r_rhp..dll

Filesize
792KB

MD5
2afb2d45f68f5067790381b9a94c32fb

SHA1
30052113d12202ee069eddc2d237cc0bc4ccf93a

SHA256
b589a7ce2fb2d21b840ba4c49c0b50647b4c0c62ac59f53bbe1b1ca9e2676ad7

SHA512
23194e9224fe51af96258180175186ca31696c2be432693c3236af5375648edce6fb48bc31967f868622ec12db0d21d076187242d4f083123b06b164872453bf

Download Submit
memory/536-170-0x00000000051D0000-0x0000000005D2D000-memory.dmp

Filesize
11.4MB

Download
memory/536-171-0x00000000051D0000-0x0000000005D2D000-memory.dmp

Filesize
11.4MB

Download
memory/536-175-0x00000000051D0000-0x0000000005D2D000-memory.dmp

Filesize
11.4MB

Download
memory/1152-143-0x0000000006F00000-0x0000000007040000-memory.dmp

Filesize
1.2MB

Download
memory/1152-142-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/1152-155-0x0000000004990000-0x00000000054ED000-memory.dmp

Filesize
11.4MB

Download
memory/1152-140-0x0000000004990000-0x00000000054ED000-memory.dmp

Filesize
11.4MB

Download
memory/1152-141-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/1152-144-0x0000000006F00000-0x0000000007040000-memory.dmp

Filesize
1.2MB

Download
memory/1152-145-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/1152-146-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/1960-132-0x0000000002122000-0x00000000021F8000-memory.dmp

Filesize
856KB

Download
memory/1960-133-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/1960-134-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1960-138-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2248-168-0x00000000045B0000-0x000000000510D000-memory.dmp

Filesize
11.4MB

Download
memory/2248-159-0x00000000045B0000-0x000000000510D000-memory.dmp

Filesize
11.4MB

Download
memory/2248-174-0x00000000045B0000-0x000000000510D000-memory.dmp

Filesize
11.4MB

Download
memory/4916-151-0x000001FA585B0000-0x000001FA5885E000-memory.dmp

Filesize
2.7MB

Download
memory/4916-149-0x0000000000160000-0x00000000003FC000-memory.dmp

Filesize
2.6MB

Download
memory/4916-150-0x000001FA59E70000-0x000001FA59FB0000-memory.dmp

Filesize
1.2MB

Download
memory/4916-154-0x000001FA585B0000-0x000001FA5885E000-memory.dmp

Filesize
2.7MB

Download
memory/4916-148-0x000001FA59E70000-0x000001FA59FB0000-memory.dmp

Filesize
1.2MB

Download