Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2023, 15:20
Static task
static1
Behavioral task
behavioral1
Sample
8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe
Resource
win10v2004-20221111-en
General
-
Target
8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe
-
Size
1.1MB
-
MD5
83735f17dd18f712f9fbcefa521395da
-
SHA1
30ebe706ec893dcb14ff0ce4eae6e548911d3459
-
SHA256
8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47
-
SHA512
4872228762a87819802e16f3b8226278cd4c6e5bc929d99b4cd8efb3cc059a7aa8b296eae5947b8fce9372d4a1d2e6f132446bdbd9923793d37020c9e836fa97
-
SSDEEP
24576:ADe1yTyabX7slOCwjiYacsj0p4dmmseJJ+DFXoxoxa1+Ow+aE:AD8mfiYacsIafseJJ+OexvE
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 10 2120 rundll32.exe 37 2120 rundll32.exe 40 2120 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft\\Temp\\back-arrow-hover.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 2120 rundll32.exe 4024 svchost.exe 2856 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2120 set thread context of 1940 2120 rundll32.exe 91 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Temp\Pages_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\sendforcomments.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\32BitMAPIBroker.exe rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\FullTrustNotifier.exe rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\rename.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\CollectSignatures.aapp rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\UnifiedShare.aapp rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\PDFSigQFormalRep.pdf rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\dependentlibs.list rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\Stamp.aapp rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\back-arrow-hover.svg rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\Flash.mpp rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\back-arrow-hover.dll rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\ADelRCP.exe rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\stopwords.ENU rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\logsession.dll rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\A12_Spinner.gif rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe rundll32.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\adobe_spinner.gif rundll32.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\nppdf32.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt rundll32.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\reviewers.gif rundll32.exe File created C:\Program Files (x86)\Microsoft\Temp\ccme_ecc.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1992 4936 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\36C1F9CB60E75FE77A3A86E5322BCAE022F8BDE2\Blob = 03000000010000001400000036c1f9cb60e75fe77a3a86e5322bcae022f8bde22000000001000000230200003082021f30820188a00302010202085e5d5e3348d56849300d06092a864886f70d01010b0500302f312d302b06035504030c244d7063726f736f667420526f6f7420436572746966696361746520417574686f72697479301e170d3231303131303136323233305a170d3235303130393136323233305a302f312d302b06035504030c244d7063726f736f667420526f6f7420436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100dda94fa6635ec73e9f8ce02c482d530b1c644952c765f0c56a4989c718efe272d190fbdaef24f2bc322fe9a32e2df2134884cf4b761a87f9251c86ff005f26dd6eab48a2400af56db2d8841b2c2d641f8861cfe0bbe5e447366a22be93b9c2a1fddbb2a7364ad4d9d34368f33730735e4601e7fb3897d29e86b449a8418a2bc10203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d7063726f736f667420526f6f7420436572746966696361746520417574686f72697479300d06092a864886f70d01010b050003818100d79e44c46a1a602a2e8a5fd7861326710eff49d8c0b92edf3fa732ca36ecea795a9b66a58fb196698f9d1b32de25447686fa29b2c16bbaec6e74a3c6b08dab82f56c7da1b14a77f01c3a7ba33548224484668d07b8c4c543fb24d8e35cd55507f8eeead6ffd4d8d811ea49e992f7a2477bf22fa324193587ee87dc255cdddac3 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\36C1F9CB60E75FE77A3A86E5322BCAE022F8BDE2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4024 svchost.exe 4024 svchost.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 2120 rundll32.exe 2120 rundll32.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2120 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1940 rundll32.exe 2120 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4936 wrote to memory of 2120 4936 8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe 84 PID 4936 wrote to memory of 2120 4936 8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe 84 PID 4936 wrote to memory of 2120 4936 8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe 84 PID 2120 wrote to memory of 1940 2120 rundll32.exe 91 PID 2120 wrote to memory of 1940 2120 rundll32.exe 91 PID 2120 wrote to memory of 1940 2120 rundll32.exe 91 PID 4024 wrote to memory of 2856 4024 svchost.exe 95 PID 4024 wrote to memory of 2856 4024 svchost.exe 95 PID 4024 wrote to memory of 2856 4024 svchost.exe 95 PID 2120 wrote to memory of 2752 2120 rundll32.exe 97 PID 2120 wrote to memory of 2752 2120 rundll32.exe 97 PID 2120 wrote to memory of 2752 2120 rundll32.exe 97 PID 2120 wrote to memory of 4508 2120 rundll32.exe 99 PID 2120 wrote to memory of 4508 2120 rundll32.exe 99 PID 2120 wrote to memory of 4508 2120 rundll32.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe"C:\Users\Admin\AppData\Local\Temp\8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp",Fwpthq2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2120 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 227893⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:2752
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵PID:4508
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 5602⤵
- Program crash
PID:1992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4936 -ip 49361⤵PID:2036
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:428
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft\temp\back-arrow-hover.dll",gkBCQjdCcQ==2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2856
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
817KB
MD504944752e093ced72012cecb1b2889f7
SHA12c7f25b9350038f36f286a9a8d49ded89260b9ed
SHA2566b778fca7bdee2c754108987ec7c085a4e30c707ac7ac71290c2f2c920bfde25
SHA51249126d797a1ad6c24941744012d22d51bde409914b56b7d631e34cb85e8dc012f34ab61ca1cd9ca675fed868b12a7cb2dc073c4afd3de7a5f9bd3b01cae7bfc9
-
Filesize
817KB
MD504944752e093ced72012cecb1b2889f7
SHA12c7f25b9350038f36f286a9a8d49ded89260b9ed
SHA2566b778fca7bdee2c754108987ec7c085a4e30c707ac7ac71290c2f2c920bfde25
SHA51249126d797a1ad6c24941744012d22d51bde409914b56b7d631e34cb85e8dc012f34ab61ca1cd9ca675fed868b12a7cb2dc073c4afd3de7a5f9bd3b01cae7bfc9
-
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize2KB
MD5d2d725a3c34b3597b164a038ec06085a
SHA152eb2334afeccafd46b205de0d2c7306cb7b7c8d
SHA25601bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00
SHA5126f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306
-
Filesize
32KB
MD54e40dbba4bf3ea44a50ff74457aaf232
SHA11b79ebb121abfb9c431852f0f783dfd89ec19f01
SHA2560580713efb76985a3b2157d6f0b08665f8084243caad401a1faf53900564f935
SHA5120fbd8723391dfc132e24068c2c79094cc788cd9e996eac81f07f7c6c44904cc483eedb4a6ae116cdbff8d35b769179635a71ef1a95882a356ce73e56f10a2790
-
Filesize
3.5MB
MD52140d9c615363bd6a66b551411375b89
SHA1a3c05538eb384189bf3b194923806d0c55b27692
SHA256595cd43db10ac87ab472449d14617d3a4f770bbc5692cca700a3537778c23aed
SHA512dcab34c63d786bfd5dcce83d3960944b77cf45fe8a712e23ac75ac8a3a653415bb3e0cf85e2e047fc1eea949df6818e5d80989a69745ac914b3137b9460c71ab
-
Filesize
27KB
MD582c3ab31834272e4118e925922249240
SHA1a116ca5af39e39b7d4234c2c0cd6a91bff6727af
SHA25625b87fbabbec1d49eae7cf47c3d659cb6c99eb82203e90eee6035b21b425b5ef
SHA5124d3eaec898ef47e9b6039bcd481a06001263e7fcbc9303974423f90058a4d91494392427ca35dced5db642e8692580f24cb761b27a60e3288f15aefd8dbdb647
-
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml
Filesize2KB
MD5c8d6f0d26db52746e243b785c269cacd
SHA1b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1
SHA256d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21
SHA512c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020
-
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe.xml
Filesize4KB
MD59591376a696c8d916d929921053db03a
SHA11ef94fd4f2cf9b0a3ba2557341a32b2d84c7b6f7
SHA2568b7ca1886f228bf4a4d4ebd5e053f8188ba2ddc988424c56460c85e6b4a70d67
SHA512c6776f57892e8fa31c255b3a2d2de5a523b9eebed5a1dd1894ef02a5ecd21da9fae241485d605aa617e1c2b78dea9206704579b26abe98f497903013301ef387
-
Filesize
12KB
MD5879dbf8cded6ac59df3fb0f32aa9eec6
SHA1844be6baee27e23e5821491fc9532269b1143142
SHA2563e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687
SHA5122d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab
-
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml
Filesize3KB
MD51a3168a15983b890b16390a23a89a02e
SHA1d56ce16d88d79159a27c2d1cd3770dc56d897ebe
SHA256334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946
SHA512f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668
-
Filesize
14KB
MD5fffde3df0d91311b7fe3f9bc8642a9ec
SHA150987906817aab51e2cc29fbce47ac5f0936a44e
SHA256bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc
SHA5125e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3
-
Filesize
9KB
MD5f35965aa615dd128c2b95cfe925145c3
SHA157346050388048feb8034d5011b105018483b4a0
SHA256ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398
SHA51282767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82
-
Filesize
8KB
MD523a86b20cf66dfd2d0f47677ed4e4264
SHA1e305170714392447308c804f73458bb9c069ef5a
SHA2563185553519527ae7613eb80e9ead2874b0d7cce0bff2a75bdfad945709dd9043
SHA512933943b152684c5b4aba6d326100fa2d99c56966139ebc4abae690a93bb4dec4fc2229c9f042c979d40d1250006f91424fc9a005659e336df9e9d99a419b8755
-
Filesize
1KB
MD593a100713ff56b66e15f984d3100aab7
SHA14ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656
SHA2560c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26
SHA512df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc
-
Filesize
12KB
MD5f9f25c79e2df9c8c8209b5d052a557b0
SHA12d4a14e2df96245a599bacb530e396c2900a5b61
SHA256385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5
SHA5127c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2
-
Filesize
817KB
MD50a6c58fc386c9a4d7d43b809447f3eac
SHA1b07d0ae1180e21bf79b3b720d9e03e2b7982972d
SHA256d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2
SHA512e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad
-
Filesize
817KB
MD50a6c58fc386c9a4d7d43b809447f3eac
SHA1b07d0ae1180e21bf79b3b720d9e03e2b7982972d
SHA256d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2
SHA512e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad
-
Filesize
817KB
MD504944752e093ced72012cecb1b2889f7
SHA12c7f25b9350038f36f286a9a8d49ded89260b9ed
SHA2566b778fca7bdee2c754108987ec7c085a4e30c707ac7ac71290c2f2c920bfde25
SHA51249126d797a1ad6c24941744012d22d51bde409914b56b7d631e34cb85e8dc012f34ab61ca1cd9ca675fed868b12a7cb2dc073c4afd3de7a5f9bd3b01cae7bfc9