90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2023, 05:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb.exe
Size

1.1MB
MD5

4d7b1f535d7b5681e514410b3beb1f45
SHA1

b92a91cc38eec5ac51e06f2c3f0f062801066c4a
SHA256

90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb
SHA512

0c7401b2e54d2ed8775147edffe256e3bfc647ddedc34cdb8dbd250485aba91d304b9a3095c7a0cd30a44650ed7979094b556e886bce9fd804166ac4faa9e868
SSDEEP

24576:F2g7O+em1A+9B9Bf9DNt3u6S2zirWadURMUEBoUYL:FveojdXFXzy3UReBop

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
10	992	rundll32.exe
11	992	rundll32.exe
41	992	rundll32.exe
43	992	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\main-high-contrast\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\main-high-contrast.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\main-high-contrast\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
992	rundll32.exe
4508	svchost.exe
4132	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 4308	992	rundll32.exe	91

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Adobe.Reader.Dependencies.manifest	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LightTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	4708	WerFault.exe	81

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\27C1303DE4D8C41A43166ACB7FF80E7BA5AEFB63	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\27C1303DE4D8C41A43166ACB7FF80E7BA5AEFB63\Blob = 03000000010000001400000027c1303de4d8c41a43166acb7ff80e7ba5aefb6320000000010000009b0200003082029730820200a003020102020871d1ee0e4984613d300d06092a864886f70d01010b0500306c312b302906035504030c22446967694365727420486967682041737375726167636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3231303130353036313235385a170d3235303130343036313235385a306c312b302906035504030c22446967694365727420486967682041737375726167636520455620526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100e21bb18ae91d25dd2c6f9ff5b70c5ca07310db2436ee173e1fc24549c182de63486d81f7012ecfc3eccaa7543f631b61ba9db43753281bab850f6ee8e8309046b66446f04b51d2f3486a426619b7c03a659f87be3d38dc68f684102fd86b61ecf9e6356ef73405bffeac2c8bc3871c373c3452b1930ba81587c14762148df0350203010001a3423040300f0603551d130101ff040530030101ff302d0603551d11042630248222446967694365727420486967682041737375726167636520455620526f6f74204341300d06092a864886f70d01010b0500038181004eab1aaba0d7a71af822873d510d260234fb2e466b05ca89ee25074ef7b507ae93d6427553ba2bbb557eef0034ba20be31a6032fd01b9e595d171039f3843795dd24260a7feb7cc0aea2a9861ab878e49411cbaf36fe65c7b869d21deb8cb995cd4dda1713f426a6c349e2dd65cb2778faa794b89230858caf90efc69d440b23	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
4508	svchost.exe
4508	svchost.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
992	rundll32.exe
992	rundll32.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe
4508	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	rundll32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
992	rundll32.exe
4308	rundll32.exe
992	rundll32.exe
992	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 992	4708	90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb.exe	85
PID 4708 wrote to memory of 992	4708	90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb.exe	85
PID 4708 wrote to memory of 992	4708	90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb.exe	85
PID 992 wrote to memory of 4308	992	rundll32.exe	91
PID 992 wrote to memory of 4308	992	rundll32.exe	91
PID 992 wrote to memory of 4996	992	rundll32.exe	92
PID 992 wrote to memory of 4996	992	rundll32.exe	92
PID 992 wrote to memory of 4996	992	rundll32.exe	92
PID 992 wrote to memory of 4308	992	rundll32.exe	91
PID 992 wrote to memory of 4488	992	rundll32.exe	95
PID 992 wrote to memory of 4488	992	rundll32.exe	95
PID 992 wrote to memory of 4488	992	rundll32.exe	95
PID 992 wrote to memory of 2264	992	rundll32.exe	100
PID 992 wrote to memory of 2264	992	rundll32.exe	100
PID 992 wrote to memory of 2264	992	rundll32.exe	100
PID 4508 wrote to memory of 4132	4508	svchost.exe	101
PID 4508 wrote to memory of 4132	4508	svchost.exe	101
PID 4508 wrote to memory of 4132	4508	svchost.exe	101
PID 992 wrote to memory of 4608	992	rundll32.exe	103
PID 992 wrote to memory of 4608	992	rundll32.exe	103
PID 992 wrote to memory of 4608	992	rundll32.exe	103
PID 992 wrote to memory of 5024	992	rundll32.exe	105
PID 992 wrote to memory of 5024	992	rundll32.exe	105
PID 992 wrote to memory of 5024	992	rundll32.exe	105
PID 992 wrote to memory of 2532	992	rundll32.exe	107
PID 992 wrote to memory of 2532	992	rundll32.exe	107
PID 992 wrote to memory of 2532	992	rundll32.exe	107

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb.exe
"C:\Users\Admin\AppData\Local\Temp\90d00f604f9a5531fdcb696e270b6c6ffca81e03903392a20adb6bcb4fd291eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:992
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23945
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4308
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 528
  2⤵
  - Program crash
  PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4708 -ip 4708
1⤵
PID:4460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:444

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\main-high-contrast.dll",SRU0NFF1MjY=
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.dll

Filesize
784KB

MD5
9849efd173d03a102031edb2c3a1e339

SHA1
f7b7465b03ca47d3db9174887787749527b7353e

SHA256
36a79485f9ef48d262d00391a1138dcf35ad99c074dbcce0544393ae14eef91d

SHA512
7ad4ae227950bec9bfdbd5e3b58b3ac1c4d1a1c02a6b0ecfa1653421d8044add3fcd85022509fbb67626b306cac6ab645cb80b2f7e4ac24e76e29235edee766f

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.dll

Filesize
784KB

MD5
9849efd173d03a102031edb2c3a1e339

SHA1
f7b7465b03ca47d3db9174887787749527b7353e

SHA256
36a79485f9ef48d262d00391a1138dcf35ad99c074dbcce0544393ae14eef91d

SHA512
7ad4ae227950bec9bfdbd5e3b58b3ac1c4d1a1c02a6b0ecfa1653421d8044add3fcd85022509fbb67626b306cac6ab645cb80b2f7e4ac24e76e29235edee766f

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml

Filesize
30KB

MD5
98de295b21abe2451f86b82df3be269a

SHA1
1665a23d307748e8c1c0164ba7939275f9fb676c

SHA256
fd3507cd60edf41093c8fe843d1601e33db9cbe1cd36247cec587c265109bcfa

SHA512
230ae283c81771496dcae9ef84787379712106738ea82754b101af9047ae27cadb8b1f4aed00d146a699c22fd1c505c31068418a70d2b535c85c3017726d91cc

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\C2RManifest.Proof.Culture.msi.16.en-us.xml

Filesize
25KB

MD5
c61439f60c39268b94a18e5d51f0b26e

SHA1
4ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a

SHA256
06bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213

SHA512
88310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\MicrosoftOffice2013Office365Win64.xml

Filesize
10KB

MD5
46353bb25b4eb2e9d26a25744c716563

SHA1
a9a9c2a1260542b5246fd642425dcc2a29a098c1

SHA256
3fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893

SHA512
09027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\Oreqhqoupyrw.tmp

Filesize
3.5MB

MD5
2f59338c41f26d8df8f8fba4048ffef9

SHA1
27db0fe8aed2f5c4211651e853c79da84dd65d9e

SHA256
38f274119f2b14f1b341b8a74de6b5bb35df5d36ad872e272a89f3ef074e68c9

SHA512
74457168a78c2b6e74490f2e7c74b1f01c2b297c02065df4b9f46c1afc565fbdac5df7f9d664f983490d5fe01c3469598b060aaf663da08f3e0f9d87cf1e7826

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\Oreqhqoupyrw.tmp

Filesize
3.5MB

MD5
2f59338c41f26d8df8f8fba4048ffef9

SHA1
27db0fe8aed2f5c4211651e853c79da84dd65d9e

SHA256
38f274119f2b14f1b341b8a74de6b5bb35df5d36ad872e272a89f3ef074e68c9

SHA512
74457168a78c2b6e74490f2e7c74b1f01c2b297c02065df4b9f46c1afc565fbdac5df7f9d664f983490d5fe01c3469598b060aaf663da08f3e0f9d87cf1e7826

Download Submit
C:\ProgramData\{E6FB8490-097E-1893-E5D7-72BBB5B030D6}\SmsInterceptStore.jfm

Filesize
16KB

MD5
0a3b9b8fb940095debcf0e31f234d539

SHA1
8833b5658e50e6c88ac9b0dc03f203299a1cfd26

SHA256
0f491d164d156d9e40f8ebb625c27fdcf739b44c22b3bfba49b77ae6c70ff271

SHA512
6f62d6891211181cf0140895b1b4947b2afe8bb302251c374f58984a001e1573c735b382119de27660e8acdf439336d06260faaf8aa3b0cd150452b9701ef8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyupydeoe.tmp

Filesize
784KB

MD5
c50c2f17112b6c6b0892cb2c1f502108

SHA1
3dd1444384bf790f5aa90ae95ef7745fa4cfaf72

SHA256
20dc61c5456ea5756f432aebecf74660acebf5ace0f7c8d1b360757ed79075d8

SHA512
bfbfc3a13816a12e25c373f6739215b9dff559fecfdf26c3358a452bdc833b6eaa64bbae316f4b29b9e9ce802e9f50c66b533c8c3c1b372025a7f0b7d8b452f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pyupydeoe.tmp

Filesize
784KB

MD5
c50c2f17112b6c6b0892cb2c1f502108

SHA1
3dd1444384bf790f5aa90ae95ef7745fa4cfaf72

SHA256
20dc61c5456ea5756f432aebecf74660acebf5ace0f7c8d1b360757ed79075d8

SHA512
bfbfc3a13816a12e25c373f6739215b9dff559fecfdf26c3358a452bdc833b6eaa64bbae316f4b29b9e9ce802e9f50c66b533c8c3c1b372025a7f0b7d8b452f1

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\main-high-contrast.dll

Filesize
784KB

MD5
9849efd173d03a102031edb2c3a1e339

SHA1
f7b7465b03ca47d3db9174887787749527b7353e

SHA256
36a79485f9ef48d262d00391a1138dcf35ad99c074dbcce0544393ae14eef91d

SHA512
7ad4ae227950bec9bfdbd5e3b58b3ac1c4d1a1c02a6b0ecfa1653421d8044add3fcd85022509fbb67626b306cac6ab645cb80b2f7e4ac24e76e29235edee766f

Download Submit
memory/992-142-0x0000000005B10000-0x0000000005C50000-memory.dmp

Filesize
1.2MB

Download
memory/992-140-0x0000000004E10000-0x0000000005962000-memory.dmp

Filesize
11.3MB

Download
memory/992-146-0x0000000005B10000-0x0000000005C50000-memory.dmp

Filesize
1.2MB

Download
memory/992-147-0x0000000005B10000-0x0000000005C50000-memory.dmp

Filesize
1.2MB

Download
memory/992-139-0x0000000004E10000-0x0000000005962000-memory.dmp

Filesize
11.3MB

Download
memory/992-143-0x0000000005B10000-0x0000000005C50000-memory.dmp

Filesize
1.2MB

Download
memory/992-141-0x0000000005B10000-0x0000000005C50000-memory.dmp

Filesize
1.2MB

Download
memory/992-145-0x0000000005B10000-0x0000000005C50000-memory.dmp

Filesize
1.2MB

Download
memory/992-153-0x0000000004E10000-0x0000000005962000-memory.dmp

Filesize
11.3MB

Download
memory/4132-169-0x0000000004C90000-0x00000000057E2000-memory.dmp

Filesize
11.3MB

Download
memory/4132-170-0x0000000004C90000-0x00000000057E2000-memory.dmp

Filesize
11.3MB

Download
memory/4308-152-0x0000020244C00000-0x0000020244EAC000-memory.dmp

Filesize
2.7MB

Download
memory/4308-150-0x0000020246650000-0x0000020246790000-memory.dmp

Filesize
1.2MB

Download
memory/4308-149-0x0000020246650000-0x0000020246790000-memory.dmp

Filesize
1.2MB

Download
memory/4308-151-0x0000000000920000-0x0000000000BBB000-memory.dmp

Filesize
2.6MB

Download
memory/4508-174-0x0000000003D30000-0x0000000004882000-memory.dmp

Filesize
11.3MB

Download
memory/4508-158-0x0000000003D30000-0x0000000004882000-memory.dmp

Filesize
11.3MB

Download
memory/4508-168-0x0000000003D30000-0x0000000004882000-memory.dmp

Filesize
11.3MB

Download
memory/4708-135-0x000000000315B000-0x0000000003233000-memory.dmp

Filesize
864KB

Download
memory/4708-136-0x0000000004AA0000-0x0000000004BB2000-memory.dmp

Filesize
1.1MB

Download
memory/4708-137-0x0000000000400000-0x0000000002D10000-memory.dmp

Filesize
41.1MB

Download
memory/4708-138-0x0000000000400000-0x0000000002D10000-memory.dmp

Filesize
41.1MB

Download