Analysis
-
max time kernel
115s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 10:17
Static task
static1
Behavioral task
behavioral1
Sample
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
Resource
win10v2004-20220901-en
General
-
Target
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe
-
Size
210KB
-
MD5
e9090853ebfa9e70a1e0fab65e348bd5
-
SHA1
eba6b6894ec013d8cc4ce791150de1be61ec9fe0
-
SHA256
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb
-
SHA512
5afd7ca05af9c92c699b33bc4c7e5530cd8b44b5fdaf35b442981ae716b77c74ec0346a0ca452e796a2f2a73227ed6d60827f85368632b36a898b95c7c2a3f3c
-
SSDEEP
3072:CYXDd+LSr8Gyd5BsGBbzSUOjsw9YptAf6loqZuT8ti:CsWSRPcSUKYptccodT8
Malware Config
Extracted
lumma
77.73.134.68
Signatures
-
Detects Smokeloader packer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/796-133-0x0000000002E30000-0x0000000002E39000-memory.dmp family_smokeloader behavioral2/memory/796-137-0x0000000002E30000-0x0000000002E39000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 46 3312 rundll32.exe 48 3312 rundll32.exe 62 3312 rundll32.exe 68 3312 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
3F7A.exe7502.exepid process 2704 3F7A.exe 1060 7502.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Edit_R_Exp_RHP..dll耀" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Edit_R_Exp_RHP..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_Exp_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 3312 rundll32.exe 676 svchost.exe 1248 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3312 set thread context of 4080 3312 rundll32.exe rundll32.exe -
Drops file in Program Files directory 12 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\init.js rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3752 2704 WerFault.exe 3F7A.exe 752 1060 WerFault.exe 7502.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exerundll32.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exepid process 796 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe 796 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 652 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 652 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exepid process 796 308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeDebugPrivilege 3312 rundll32.exe Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 Token: SeShutdownPrivilege 652 Token: SeCreatePagefilePrivilege 652 -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
rundll32.exerundll32.exepid process 4080 rundll32.exe 652 652 652 652 3312 rundll32.exe 652 652 652 652 3312 rundll32.exe 3312 rundll32.exe 3312 rundll32.exe 3312 rundll32.exe 3312 rundll32.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 652 -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
3F7A.exesvchost.exerundll32.exedescription pid process target process PID 652 wrote to memory of 2704 652 3F7A.exe PID 652 wrote to memory of 2704 652 3F7A.exe PID 652 wrote to memory of 2704 652 3F7A.exe PID 2704 wrote to memory of 3312 2704 3F7A.exe rundll32.exe PID 2704 wrote to memory of 3312 2704 3F7A.exe rundll32.exe PID 2704 wrote to memory of 3312 2704 3F7A.exe rundll32.exe PID 652 wrote to memory of 1060 652 7502.exe PID 652 wrote to memory of 1060 652 7502.exe PID 652 wrote to memory of 1060 652 7502.exe PID 676 wrote to memory of 1248 676 svchost.exe rundll32.exe PID 676 wrote to memory of 1248 676 svchost.exe rundll32.exe PID 676 wrote to memory of 1248 676 svchost.exe rundll32.exe PID 3312 wrote to memory of 4080 3312 rundll32.exe rundll32.exe PID 3312 wrote to memory of 4080 3312 rundll32.exe rundll32.exe PID 3312 wrote to memory of 4080 3312 rundll32.exe rundll32.exe PID 3312 wrote to memory of 3432 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 3432 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 3432 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1372 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1372 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1372 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4680 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4680 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4680 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1560 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1560 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1560 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2392 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2392 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2392 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 5108 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 5108 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 5108 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 3824 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 3824 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 3824 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4000 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4000 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4000 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2364 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2364 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2364 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4256 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4256 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 4256 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2608 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2608 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 2608 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1840 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1840 3312 rundll32.exe schtasks.exe PID 3312 wrote to memory of 1840 3312 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe"C:\Users\Admin\AppData\Local\Temp\308f667ab1a53edbd74dcdef98fdb8c69d3c2d0a3ce8d55c9f18f5e928674abb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3F7A.exeC:\Users\Admin\AppData\Local\Temp\3F7A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186773⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 2882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2704 -ip 27041⤵
-
C:\Users\Admin\AppData\Local\Temp\7502.exeC:\Users\Admin\AppData\Local\Temp\7502.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 13602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1060 -ip 10601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\edit_r_exp_rhp..dll",SiAqSE1OSQ==2⤵
- Loads dropped DLL
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dllFilesize
774KB
MD532614e6da6a653bbc160ba14ec81b7df
SHA18d6f97828a0b66fd7f2c964b62552673efe4567a
SHA256620a0f7ae3423773ded2ac3b62203e446e65ddccda425937436a746952906284
SHA512bf8b062a03fbc69542c29aa1e4da71eff3e78004c5e720153a0de7578e1ddee99ccd0dd2b46e48cfc1e753fbe36f9e4ab4f0817ba541b1fc249c6c6ea55390d2
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP..dllFilesize
774KB
MD532614e6da6a653bbc160ba14ec81b7df
SHA18d6f97828a0b66fd7f2c964b62552673efe4567a
SHA256620a0f7ae3423773ded2ac3b62203e446e65ddccda425937436a746952906284
SHA512bf8b062a03fbc69542c29aa1e4da71eff3e78004c5e720153a0de7578e1ddee99ccd0dd2b46e48cfc1e753fbe36f9e4ab4f0817ba541b1fc249c6c6ea55390d2
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\DiagnosticLogCSP_Collector_DeviceProvisioning_2022_9_1_10_58_57.etlFilesize
256KB
MD514bf75c4c6eade0702d34bdc48a80e81
SHA1b1e52e86dd4dbd86448fa94895bc48959c361892
SHA256c2ea048057c3c9eb78ad8653a1731aac2dd848a2410842ef69c44874a9e2a8cd
SHA5122c7c6a0abc5c59c0705be9c09cf28122ea93bc8557848fbea6e79ad0b078f92817c0bc81fc2e70dbc3c5ea2713edc777ece360f997d5da17b2873d3bc2dbc8e0
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
27KB
MD5539930de67b99bab23fe2c67000eeddb
SHA16b0e5ece46ecb0b019ec71caa44facf122647059
SHA2562f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c
SHA512ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\MicrosoftOffice2016BackupWin32.xmlFilesize
12KB
MD5ffbc41d3c63bccdca27c2c88ab0e85c4
SHA1f3923962734058dc0b91515b2981d1eb33f8a8dd
SHA256caf2eef3b42d36b4d6d4a24597557a7feada559e99abedb56287248286531dea
SHA5129da5dd978c9faa7de1552117207fb694e97f895b054a457ffe0b9444251e7203774b142ee558317136dd8f240c12f7309b137eb930417c181c404f8318a3f8fa
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\Uqioyhuair.tmpFilesize
3.5MB
MD53907e89709593c980f31293e7ae04e44
SHA1d969bc2d647a2cd7af281024f4b068fca46e6975
SHA256aca97127d5c34564c9ace879fd9e1341fa2bde9a6fac4e697370d449ff06f871
SHA5121e586dd27fdecc8838682620f70ad21b50507ee11ec812c41394c80d47cd192215ab5eb385f21ca0399de5bdbc0d027a1e96ee388e4b7be06832d80cbc844e70
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\settings.icoFilesize
66KB
MD54896c2ad8ca851419425b06ec0fd95f2
SHA17d52e9355998f1b4487f8ef2b1b3785dec35d981
SHA2561160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3
SHA512271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2
-
C:\ProgramData\{AD22A7C3-A288-2107-49C0-5B9511BAC117}\wlidsvcconfig.xmlFilesize
12KB
MD5f9f25c79e2df9c8c8209b5d052a557b0
SHA12d4a14e2df96245a599bacb530e396c2900a5b61
SHA256385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5
SHA5127c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2
-
C:\Users\Admin\AppData\Local\Temp\3F7A.exeFilesize
1.1MB
MD5d631960cf949a89bbfb090d01a7059c2
SHA12ad73edbd36975a6c15a9c21468b31bb6e89cc4f
SHA256551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff
SHA5125bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726
-
C:\Users\Admin\AppData\Local\Temp\3F7A.exeFilesize
1.1MB
MD5d631960cf949a89bbfb090d01a7059c2
SHA12ad73edbd36975a6c15a9c21468b31bb6e89cc4f
SHA256551b73473fba25f065f6de4197b8d8f3555fe7a54c0256d284b10e46622fc1ff
SHA5125bc0b8ec5086ff8abc43c4c2a474a4ab50e3c0c20ec0be046bb45a66dbb1a2c0456f8cdcde82eedb666b1ac33770d4f0a21b54f5c7931012a314e53ec51f5726
-
C:\Users\Admin\AppData\Local\Temp\7502.exeFilesize
276KB
MD54c9333550914da09caa6121c2d5b0712
SHA1e5487bf23307c6db60ba56b84815052a6f97a662
SHA2565d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc
SHA5121efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c
-
C:\Users\Admin\AppData\Local\Temp\7502.exeFilesize
276KB
MD54c9333550914da09caa6121c2d5b0712
SHA1e5487bf23307c6db60ba56b84815052a6f97a662
SHA2565d359d437372dee4a4708133fde69dfcf9f16e2ddc2f21c1864019a70a9e3ebc
SHA5121efa054b591ec674b390af8f3cb0a25f83b448e028d848da62c5f2c1d1fa631d3242eaddb2111ac39865f87a3825edcd59e4bfd4fbf2780549c0c918a08d1b7c
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmpFilesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
\??\c:\program files (x86)\windowspowershell\modules\edit_r_exp_rhp..dllFilesize
774KB
MD532614e6da6a653bbc160ba14ec81b7df
SHA18d6f97828a0b66fd7f2c964b62552673efe4567a
SHA256620a0f7ae3423773ded2ac3b62203e446e65ddccda425937436a746952906284
SHA512bf8b062a03fbc69542c29aa1e4da71eff3e78004c5e720153a0de7578e1ddee99ccd0dd2b46e48cfc1e753fbe36f9e4ab4f0817ba541b1fc249c6c6ea55390d2
-
memory/676-186-0x0000000003EC0000-0x0000000004A15000-memory.dmpFilesize
11.3MB
-
memory/676-162-0x0000000003EC0000-0x0000000004A15000-memory.dmpFilesize
11.3MB
-
memory/676-163-0x0000000003EC0000-0x0000000004A15000-memory.dmpFilesize
11.3MB
-
memory/796-135-0x0000000002EC8000-0x0000000002ED9000-memory.dmpFilesize
68KB
-
memory/796-136-0x0000000000400000-0x0000000002B9D000-memory.dmpFilesize
39.6MB
-
memory/796-132-0x0000000002EC8000-0x0000000002ED9000-memory.dmpFilesize
68KB
-
memory/796-134-0x0000000000400000-0x0000000002B9D000-memory.dmpFilesize
39.6MB
-
memory/796-133-0x0000000002E30000-0x0000000002E39000-memory.dmpFilesize
36KB
-
memory/796-137-0x0000000002E30000-0x0000000002E39000-memory.dmpFilesize
36KB
-
memory/1060-151-0x00000000005A0000-0x00000000005CA000-memory.dmpFilesize
168KB
-
memory/1060-152-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1060-150-0x000000000060D000-0x0000000000627000-memory.dmpFilesize
104KB
-
memory/1060-155-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1060-147-0x0000000000000000-mapping.dmp
-
memory/1248-169-0x0000000000000000-mapping.dmp
-
memory/1248-177-0x00000000050B0000-0x0000000005C05000-memory.dmpFilesize
11.3MB
-
memory/1248-183-0x00000000050B0000-0x0000000005C05000-memory.dmpFilesize
11.3MB
-
memory/1248-171-0x00000000050B0000-0x0000000005C05000-memory.dmpFilesize
11.3MB
-
memory/1372-185-0x0000000000000000-mapping.dmp
-
memory/1560-190-0x0000000000000000-mapping.dmp
-
memory/1840-198-0x0000000000000000-mapping.dmp
-
memory/1880-208-0x0000000000000000-mapping.dmp
-
memory/2036-201-0x0000000000000000-mapping.dmp
-
memory/2364-195-0x0000000000000000-mapping.dmp
-
memory/2392-191-0x0000000000000000-mapping.dmp
-
memory/2520-205-0x0000000000000000-mapping.dmp
-
memory/2608-197-0x0000000000000000-mapping.dmp
-
memory/2704-202-0x0000000000000000-mapping.dmp
-
memory/2704-144-0x0000000002266000-0x000000000234F000-memory.dmpFilesize
932KB
-
memory/2704-145-0x0000000002350000-0x000000000247E000-memory.dmpFilesize
1.2MB
-
memory/2704-146-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/2704-138-0x0000000000000000-mapping.dmp
-
memory/2936-203-0x0000000000000000-mapping.dmp
-
memory/3040-204-0x0000000000000000-mapping.dmp
-
memory/3312-173-0x0000000005600000-0x0000000005740000-memory.dmpFilesize
1.2MB
-
memory/3312-156-0x0000000005600000-0x0000000005740000-memory.dmpFilesize
1.2MB
-
memory/3312-157-0x0000000005600000-0x0000000005740000-memory.dmpFilesize
1.2MB
-
memory/3312-161-0x00000000048D0000-0x0000000005425000-memory.dmpFilesize
11.3MB
-
memory/3312-180-0x000000000567F000-0x0000000005681000-memory.dmpFilesize
8KB
-
memory/3312-175-0x0000000005600000-0x0000000005740000-memory.dmpFilesize
1.2MB
-
memory/3312-187-0x000000000567F000-0x0000000005681000-memory.dmpFilesize
8KB
-
memory/3312-174-0x0000000005600000-0x0000000005740000-memory.dmpFilesize
1.2MB
-
memory/3312-154-0x00000000048D0000-0x0000000005425000-memory.dmpFilesize
11.3MB
-
memory/3312-153-0x00000000048D0000-0x0000000005425000-memory.dmpFilesize
11.3MB
-
memory/3312-141-0x0000000000000000-mapping.dmp
-
memory/3312-172-0x0000000005600000-0x0000000005740000-memory.dmpFilesize
1.2MB
-
memory/3432-184-0x0000000000000000-mapping.dmp
-
memory/3824-193-0x0000000000000000-mapping.dmp
-
memory/4000-194-0x0000000000000000-mapping.dmp
-
memory/4016-206-0x0000000000000000-mapping.dmp
-
memory/4080-188-0x00000235877C0000-0x0000023587A75000-memory.dmpFilesize
2.7MB
-
memory/4080-176-0x00007FF621C56890-mapping.dmp
-
memory/4080-178-0x0000023589220000-0x0000023589360000-memory.dmpFilesize
1.2MB
-
memory/4080-181-0x00000000004D0000-0x0000000000774000-memory.dmpFilesize
2.6MB
-
memory/4080-179-0x0000023589220000-0x0000023589360000-memory.dmpFilesize
1.2MB
-
memory/4080-182-0x00000235877C0000-0x0000023587A75000-memory.dmpFilesize
2.7MB
-
memory/4248-207-0x0000000000000000-mapping.dmp
-
memory/4256-196-0x0000000000000000-mapping.dmp
-
memory/4288-200-0x0000000000000000-mapping.dmp
-
memory/4680-189-0x0000000000000000-mapping.dmp
-
memory/4992-199-0x0000000000000000-mapping.dmp
-
memory/5108-192-0x0000000000000000-mapping.dmp