8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2023, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe
Size

1.1MB
MD5

83735f17dd18f712f9fbcefa521395da
SHA1

30ebe706ec893dcb14ff0ce4eae6e548911d3459
SHA256

8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47
SHA512

4872228762a87819802e16f3b8226278cd4c6e5bc929d99b4cd8efb3cc059a7aa8b296eae5947b8fce9372d4a1d2e6f132446bdbd9923793d37020c9e836fa97
SSDEEP

24576:ADe1yTyabX7slOCwjiYacsj0p4dmmseJJ+DFXoxoxa1+Ow+aE:AD8mfiYacsIafseJJ+OexvE

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2120	rundll32.exe
37	2120	rundll32.exe
40	2120	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\Parameters\ServiceDll = "C:\\Program Files (x86)\\Microsoft\\Temp\\back-arrow-hover.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\back-arrow-hover\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
2120	rundll32.exe
4024	svchost.exe
2856	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 1940	2120	rundll32.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\sendforcomments.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\32BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\Stamp.aapp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\back-arrow-hover.svg	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\back-arrow-hover.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\logsession.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\A12_Spinner.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\Microsoft\Temp\ccme_ecc.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	4936	WerFault.exe	81

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\36C1F9CB60E75FE77A3A86E5322BCAE022F8BDE2\Blob = 03000000010000001400000036c1f9cb60e75fe77a3a86e5322bcae022f8bde22000000001000000230200003082021f30820188a00302010202085e5d5e3348d56849300d06092a864886f70d01010b0500302f312d302b06035504030c244d7063726f736f667420526f6f7420436572746966696361746520417574686f72697479301e170d3231303131303136323233305a170d3235303130393136323233305a302f312d302b06035504030c244d7063726f736f667420526f6f7420436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100dda94fa6635ec73e9f8ce02c482d530b1c644952c765f0c56a4989c718efe272d190fbdaef24f2bc322fe9a32e2df2134884cf4b761a87f9251c86ff005f26dd6eab48a2400af56db2d8841b2c2d641f8861cfe0bbe5e447366a22be93b9c2a1fddbb2a7364ad4d9d34368f33730735e4601e7fb3897d29e86b449a8418a2bc10203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d7063726f736f667420526f6f7420436572746966696361746520417574686f72697479300d06092a864886f70d01010b050003818100d79e44c46a1a602a2e8a5fd7861326710eff49d8c0b92edf3fa732ca36ecea795a9b66a58fb196698f9d1b32de25447686fa29b2c16bbaec6e74a3c6b08dab82f56c7da1b14a77f01c3a7ba33548224484668d07b8c4c543fb24d8e35cd55507f8eeead6ffd4d8d811ea49e992f7a2477bf22fa324193587ee87dc255cdddac3	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\36C1F9CB60E75FE77A3A86E5322BCAE022F8BDE2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4024	svchost.exe
4024	svchost.exe
2120	rundll32.exe
2120	rundll32.exe
2120	rundll32.exe
2120	rundll32.exe
2120	rundll32.exe
2120	rundll32.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
2120	rundll32.exe
2120	rundll32.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe
4024	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1940	rundll32.exe
2120	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2120	4936	8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe	84
PID 4936 wrote to memory of 2120	4936	8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe	84
PID 4936 wrote to memory of 2120	4936	8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe	84
PID 2120 wrote to memory of 1940	2120	rundll32.exe	91
PID 2120 wrote to memory of 1940	2120	rundll32.exe	91
PID 2120 wrote to memory of 1940	2120	rundll32.exe	91
PID 4024 wrote to memory of 2856	4024	svchost.exe	95
PID 4024 wrote to memory of 2856	4024	svchost.exe	95
PID 4024 wrote to memory of 2856	4024	svchost.exe	95
PID 2120 wrote to memory of 2752	2120	rundll32.exe	97
PID 2120 wrote to memory of 2752	2120	rundll32.exe	97
PID 2120 wrote to memory of 2752	2120	rundll32.exe	97
PID 2120 wrote to memory of 4508	2120	rundll32.exe	99
PID 2120 wrote to memory of 4508	2120	rundll32.exe	99
PID 2120 wrote to memory of 4508	2120	rundll32.exe	99

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe
"C:\Users\Admin\AppData\Local\Temp\8109535327593a1bedfdca02434369e7524a393a769b766f8baa9c88fbce7d47.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp",Fwpthq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2120
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22789
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 560
  2⤵
  - Program crash
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4936 -ip 4936
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\microsoft\temp\back-arrow-hover.dll",gkBCQjdCcQ==
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\back-arrow-hover.dll

Filesize
817KB

MD5
04944752e093ced72012cecb1b2889f7

SHA1
2c7f25b9350038f36f286a9a8d49ded89260b9ed

SHA256
6b778fca7bdee2c754108987ec7c085a4e30c707ac7ac71290c2f2c920bfde25

SHA512
49126d797a1ad6c24941744012d22d51bde409914b56b7d631e34cb85e8dc012f34ab61ca1cd9ca675fed868b12a7cb2dc073c4afd3de7a5f9bd3b01cae7bfc9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\back-arrow-hover.dll

Filesize
817KB

MD5
04944752e093ced72012cecb1b2889f7

SHA1
2c7f25b9350038f36f286a9a8d49ded89260b9ed

SHA256
6b778fca7bdee2c754108987ec7c085a4e30c707ac7ac71290c2f2c920bfde25

SHA512
49126d797a1ad6c24941744012d22d51bde409914b56b7d631e34cb85e8dc012f34ab61ca1cd9ca675fed868b12a7cb2dc073c4afd3de7a5f9bd3b01cae7bfc9

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml

Filesize
2KB

MD5
d2d725a3c34b3597b164a038ec06085a

SHA1
52eb2334afeccafd46b205de0d2c7306cb7b7c8d

SHA256
01bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00

SHA512
6f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\EventStore.db

Filesize
32KB

MD5
4e40dbba4bf3ea44a50ff74457aaf232

SHA1
1b79ebb121abfb9c431852f0f783dfd89ec19f01

SHA256
0580713efb76985a3b2157d6f0b08665f8084243caad401a1faf53900564f935

SHA512
0fbd8723391dfc132e24068c2c79094cc788cd9e996eac81f07f7c6c44904cc483eedb4a6ae116cdbff8d35b769179635a71ef1a95882a356ce73e56f10a2790

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Iipyptyehff.tmp

Filesize
3.5MB

MD5
2140d9c615363bd6a66b551411375b89

SHA1
a3c05538eb384189bf3b194923806d0c55b27692

SHA256
595cd43db10ac87ab472449d14617d3a4f770bbc5692cca700a3537778c23aed

SHA512
dcab34c63d786bfd5dcce83d3960944b77cf45fe8a712e23ac75ac8a3a653415bb3e0cf85e2e047fc1eea949df6818e5d80989a69745ac914b3137b9460c71ab

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
82c3ab31834272e4118e925922249240

SHA1
a116ca5af39e39b7d4234c2c0cd6a91bff6727af

SHA256
25b87fbabbec1d49eae7cf47c3d659cb6c99eb82203e90eee6035b21b425b5ef

SHA512
4d3eaec898ef47e9b6039bcd481a06001263e7fcbc9303974423f90058a4d91494392427ca35dced5db642e8692580f24cb761b27a60e3288f15aefd8dbdb647

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml

Filesize
2KB

MD5
c8d6f0d26db52746e243b785c269cacd

SHA1
b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1

SHA256
d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21

SHA512
c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe.xml

Filesize
4KB

MD5
9591376a696c8d916d929921053db03a

SHA1
1ef94fd4f2cf9b0a3ba2557341a32b2d84c7b6f7

SHA256
8b7ca1886f228bf4a4d4ebd5e053f8188ba2ddc988424c56460c85e6b4a70d67

SHA512
c6776f57892e8fa31c255b3a2d2de5a523b9eebed5a1dd1894ef02a5ecd21da9fae241485d605aa617e1c2b78dea9206704579b26abe98f497903013301ef387

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\MicrosoftOffice2013BackupWin32.xml

Filesize
12KB

MD5
879dbf8cded6ac59df3fb0f32aa9eec6

SHA1
844be6baee27e23e5821491fc9532269b1143142

SHA256
3e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687

SHA512
2d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml

Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\Pending.GRL

Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\SettingsLocationTemplate.xsd

Filesize
9KB

MD5
f35965aa615dd128c2b95cfe925145c3

SHA1
57346050388048feb8034d5011b105018483b4a0

SHA256
ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398

SHA512
82767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\edb.chk

Filesize
8KB

MD5
23a86b20cf66dfd2d0f47677ed4e4264

SHA1
e305170714392447308c804f73458bb9c069ef5a

SHA256
3185553519527ae7613eb80e9ead2874b0d7cce0bff2a75bdfad945709dd9043

SHA512
933943b152684c5b4aba6d326100fa2d99c56966139ebc4abae690a93bb4dec4fc2229c9f042c979d40d1250006f91424fc9a005659e336df9e9d99a419b8755

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\resource.xml

Filesize
1KB

MD5
93a100713ff56b66e15f984d3100aab7

SHA1
4ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656

SHA256
0c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26

SHA512
df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc

Download Submit
C:\ProgramData\{0482906F-92EB-6EE9-44E0-8924BCBAD1D2}\wlidsvcconfig.xml

Filesize
12KB

MD5
f9f25c79e2df9c8c8209b5d052a557b0

SHA1
2d4a14e2df96245a599bacb530e396c2900a5b61

SHA256
385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5

SHA512
7c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

Filesize
817KB

MD5
0a6c58fc386c9a4d7d43b809447f3eac

SHA1
b07d0ae1180e21bf79b3b720d9e03e2b7982972d

SHA256
d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2

SHA512
e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp

Filesize
817KB

MD5
0a6c58fc386c9a4d7d43b809447f3eac

SHA1
b07d0ae1180e21bf79b3b720d9e03e2b7982972d

SHA256
d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2

SHA512
e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

Download Submit
\??\c:\program files (x86)\microsoft\temp\back-arrow-hover.dll

Filesize
817KB

MD5
04944752e093ced72012cecb1b2889f7

SHA1
2c7f25b9350038f36f286a9a8d49ded89260b9ed

SHA256
6b778fca7bdee2c754108987ec7c085a4e30c707ac7ac71290c2f2c920bfde25

SHA512
49126d797a1ad6c24941744012d22d51bde409914b56b7d631e34cb85e8dc012f34ab61ca1cd9ca675fed868b12a7cb2dc073c4afd3de7a5f9bd3b01cae7bfc9

Download Submit
memory/1940-148-0x000001BFB9F90000-0x000001BFBA0D0000-memory.dmp

Filesize
1.2MB

Download
memory/1940-151-0x000001BFB8540000-0x000001BFB87EA000-memory.dmp

Filesize
2.7MB

Download
memory/1940-150-0x00000000001C0000-0x0000000000459000-memory.dmp

Filesize
2.6MB

Download
memory/1940-149-0x000001BFB9F90000-0x000001BFBA0D0000-memory.dmp

Filesize
1.2MB

Download
memory/2120-152-0x0000000005F30000-0x0000000006A8A000-memory.dmp

Filesize
11.4MB

Download
memory/2120-140-0x0000000005F30000-0x0000000006A8A000-memory.dmp

Filesize
11.4MB

Download
memory/2120-139-0x0000000005F30000-0x0000000006A8A000-memory.dmp

Filesize
11.4MB

Download
memory/2120-142-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/2120-141-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/2120-146-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/2120-145-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/2120-144-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/2120-143-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/2856-173-0x0000000004F90000-0x0000000005AEA000-memory.dmp

Filesize
11.4MB

Download
memory/2856-172-0x0000000004F90000-0x0000000005AEA000-memory.dmp

Filesize
11.4MB

Download
memory/4024-174-0x0000000003CC0000-0x000000000481A000-memory.dmp

Filesize
11.4MB

Download
memory/4024-156-0x0000000003CC0000-0x000000000481A000-memory.dmp

Filesize
11.4MB

Download
memory/4024-171-0x0000000003CC0000-0x000000000481A000-memory.dmp

Filesize
11.4MB

Download
memory/4936-138-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download
memory/4936-135-0x00000000049D1000-0x0000000004ABA000-memory.dmp

Filesize
932KB

Download
memory/4936-136-0x0000000004AE0000-0x0000000004C0C000-memory.dmp

Filesize
1.2MB

Download
memory/4936-137-0x0000000000400000-0x0000000002C86000-memory.dmp

Filesize
40.5MB

Download