51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe
Size

3.7MB
MD5

1b8fcbd3a720af02aad4f568669a2344
SHA1

4e1b76abae27ce57cd9c643cbd4920706c3aa919
SHA256

51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145
SHA512

ae235fc95656d82eaaa8ac184a73b1a1571a1f1b4a7ca88f2e3c952a639170dafd36ecbd0bcfeffdf60ef9067b03835d8e560124221ae05a76ef1623a49b6a97
SSDEEP

98304:tAfk8UZPH1z5M7QrmiFuvs7FmVh+vt6WuTjv/71h9fj:aCM0rmiFuvkfvl0jvj9f

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

11 1380 rundll32.exe
12 1380 rundll32.exe
41 1380 rundll32.exe
43 1380 rundll32.exe

flow	pid	process
11	1380	rundll32.exe
12	1380	rundll32.exe
41	1380	rundll32.exe
43	1380	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\reviews_sent.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\reviews_sent.dll椀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\reviews_sent\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1380 rundll32.exe
2300 svchost.exe
2912 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1380	rundll32.exe
2300	svchost.exe
2912	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1380 set thread context of 1312 1380 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1380 set thread context of 1312	1380	rundll32.exe	rundll32.exe

Drops file in Program Files directory 13 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\reviews_sent.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroRd32Info.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\CPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\s_filetype_xd.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\export.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5084 3612 WerFault.exe 51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe

pid	pid_target	process	target process
5084	3612	WerFault.exe	51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

svchost.exerundll32.exe

pid	process
2300	svchost.exe
2300	svchost.exe
1380	rundll32.exe
1380	rundll32.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe
2300	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1380 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1312 rundll32.exe
1380 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1380	rundll32.exe

pid	process
1312	rundll32.exe
1380	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3612 wrote to memory of 1380	3612	51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe	rundll32.exe
PID 3612 wrote to memory of 1380	3612	51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe	rundll32.exe
PID 3612 wrote to memory of 1380	3612	51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe	rundll32.exe
PID 1380 wrote to memory of 1312	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1312	1380	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 1312	1380	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 2912	2300	svchost.exe	rundll32.exe
PID 2300 wrote to memory of 2912	2300	svchost.exe	rundll32.exe
PID 2300 wrote to memory of 2912	2300	svchost.exe	rundll32.exe
PID 1380 wrote to memory of 2896	1380	rundll32.exe	schtasks.exe
PID 1380 wrote to memory of 2896	1380	rundll32.exe	schtasks.exe
PID 1380 wrote to memory of 2896	1380	rundll32.exe	schtasks.exe
PID 1380 wrote to memory of 4668	1380	rundll32.exe	schtasks.exe
PID 1380 wrote to memory of 4668	1380	rundll32.exe	schtasks.exe
PID 1380 wrote to memory of 4668	1380	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe
"C:\Users\Admin\AppData\Local\Temp\51bd28ff2064535a3e91fe425dfb49ed48e364a37525af9b5e5e65523e1d1145.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1380

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24019
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1312

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2896

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4668

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4180

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 412
2⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3612 -ip 3612
1⤵
PID:1460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows photo viewer\en-us\reviews_sent.dll",akEpOTVN
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\en-US\reviews_sent.dll
Filesize
4.2MB

MD5
e8d0c4e95cbea6580932e7848579cc86

SHA1
a5c0d7edccaecd3fb3217f8c34954f4870d010c9

SHA256
1252f7979f69eab83088b4cd4248f8241e98977d98498e610ee0635af90c8aa5

SHA512
de57286fe2dcce80dced8c4a45ebf81a5b3ecd2915d97345e0ee5b5ab52dcc7fe7c84bd8be71cce37699fb8b1f7b3c82595c5cdc6af198d74a97fc6864150944

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\reviews_sent.dll
Filesize
4.2MB

MD5
e8d0c4e95cbea6580932e7848579cc86

SHA1
a5c0d7edccaecd3fb3217f8c34954f4870d010c9

SHA256
1252f7979f69eab83088b4cd4248f8241e98977d98498e610ee0635af90c8aa5

SHA512
de57286fe2dcce80dced8c4a45ebf81a5b3ecd2915d97345e0ee5b5ab52dcc7fe7c84bd8be71cce37699fb8b1f7b3c82595c5cdc6af198d74a97fc6864150944

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch
Filesize
110B

MD5
37a1115747e63e1c0ead2c66301f22d3

SHA1
44339aa5b475ecc2669a69fa1850ffcbf6fc666e

SHA256
9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

SHA512
6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml
Filesize
15KB

MD5
c79d743dc754585c49ffc41a15c33c71

SHA1
15df899dde702aa45be8f2fdc936cc03cf3d3016

SHA256
5aa9e0d9f982ffa00c39ee9070a398e64f33959181ebfe9d2ee497f59ea10c12

SHA512
5ba9c252c91bce7d9e6dbdc64c513e4aa6a9938502ff4c08dcf47025e03625d933aedbc0ca55ad6145fc6f86a00740edfcf48c58902a843c75e98cdf1af487a6

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Shqhdpq.tmp
Filesize
3.5MB

MD5
88f3b1b2d95273cfc57f080fa615f3d0

SHA1
f34bbddda62ac61e5a2b5bd6cf8a34b3a422c780

SHA256
d4ab102464e55370a87c8755ba2dc3e88f576bc74ebc88373ad59d393e952269

SHA512
10d146088b121084b531c7f6a3529175055861614e52153348ad211e6f41bd1008d783343340ed55efc5592ddb1c176569fdf1b920f210a0d69b211aaa3b5560

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\setup.exe
Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\wmp.ico
Filesize
110KB

MD5
589ff0b7d4d0d3fced65c3eae6559657

SHA1
4be3e4221a429b347888bbe3635e377271974c7f

SHA256
0e96c027d23a57e95103d1b64e4c5b8a153402f05b756dfcb737459476aaae35

SHA512
4a12bac3f61964d6c5608bbb9067d7673cd5e5a22463f6d16f402954045692f43ef1ea32d405f452d415c859c30b217e9d250a1c5c85cfd629bd393824b6523b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
909f790d044c03d390bbbbf35b38ac14

SHA1
348440c1b3d2e0f543eb2b3fd57e68bdeed2af10

SHA256
cae757ff3ca7df04765ef5109f5d60833e4e9e217dfbf69db597d5282156ea59

SHA512
8daedd5761df8cee59b94a27666fe115def4d7722b527bc6d90080ee552f5533bd4cb63cbf6bf26361e8a4fc9e59b2cc52bf6889b930ef0f5ae763cd3ed066a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
909f790d044c03d390bbbbf35b38ac14

SHA1
348440c1b3d2e0f543eb2b3fd57e68bdeed2af10

SHA256
cae757ff3ca7df04765ef5109f5d60833e4e9e217dfbf69db597d5282156ea59

SHA512
8daedd5761df8cee59b94a27666fe115def4d7722b527bc6d90080ee552f5533bd4cb63cbf6bf26361e8a4fc9e59b2cc52bf6889b930ef0f5ae763cd3ed066a5

Download Submit
\??\c:\program files (x86)\windows photo viewer\en-us\reviews_sent.dll
Filesize
4.2MB

MD5
e8d0c4e95cbea6580932e7848579cc86

SHA1
a5c0d7edccaecd3fb3217f8c34954f4870d010c9

SHA256
1252f7979f69eab83088b4cd4248f8241e98977d98498e610ee0635af90c8aa5

SHA512
de57286fe2dcce80dced8c4a45ebf81a5b3ecd2915d97345e0ee5b5ab52dcc7fe7c84bd8be71cce37699fb8b1f7b3c82595c5cdc6af198d74a97fc6864150944

Download Submit
memory/1312-151-0x0000012651620000-0x00000126518C3000-memory.dmp

Filesize
2.6MB

Download
memory/1312-155-0x0000012651620000-0x00000126518C3000-memory.dmp

Filesize
2.6MB

Download
memory/1312-153-0x0000000000350000-0x00000000005E1000-memory.dmp

Filesize
2.6MB

Download
memory/1312-150-0x0000012653070000-0x00000126531B0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-152-0x0000012653070000-0x00000126531B0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-148-0x00007FF6D52C6890-mapping.dmp

Download
memory/1380-149-0x00000000044C9000-0x00000000044CB000-memory.dmp

Filesize
8KB

Download
memory/1380-141-0x0000000003840000-0x000000000438E000-memory.dmp

Filesize
11.3MB

Download
memory/1380-147-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/1380-146-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/1380-145-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/1380-154-0x0000000003840000-0x000000000438E000-memory.dmp

Filesize
11.3MB

Download
memory/1380-144-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/1380-135-0x0000000000000000-mapping.dmp

Download
memory/1380-142-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/1380-143-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/1380-140-0x0000000003840000-0x000000000438E000-memory.dmp

Filesize
11.3MB

Download
memory/1380-139-0x0000000003840000-0x000000000438E000-memory.dmp

Filesize
11.3MB

Download
memory/1924-179-0x0000000000000000-mapping.dmp

Download
memory/2300-175-0x0000000002230000-0x0000000002D7E000-memory.dmp

Filesize
11.3MB

Download
memory/2300-164-0x0000000002230000-0x0000000002D7E000-memory.dmp

Filesize
11.3MB

Download
memory/2300-166-0x0000000002230000-0x0000000002D7E000-memory.dmp

Filesize
11.3MB

Download
memory/2300-165-0x0000000002230000-0x0000000002D7E000-memory.dmp

Filesize
11.3MB

Download
memory/2896-173-0x0000000000000000-mapping.dmp

Download
memory/2912-170-0x0000000002EB0000-0x00000000039FE000-memory.dmp

Filesize
11.3MB

Download
memory/2912-169-0x0000000002EB0000-0x00000000039FE000-memory.dmp

Filesize
11.3MB

Download
memory/2912-167-0x0000000000000000-mapping.dmp

Download
memory/2912-171-0x0000000002EB0000-0x00000000039FE000-memory.dmp

Filesize
11.3MB

Download
memory/2912-172-0x0000000002EB0000-0x00000000039FE000-memory.dmp

Filesize
11.3MB

Download
memory/2924-177-0x0000000000000000-mapping.dmp

Download
memory/3612-133-0x0000000002BA0000-0x0000000003076000-memory.dmp

Filesize
4.8MB

Download
memory/3612-134-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3612-138-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3612-132-0x000000000281E000-0x0000000002B96000-memory.dmp

Filesize
3.5MB

Download
memory/4180-178-0x0000000000000000-mapping.dmp

Download
memory/4596-176-0x0000000000000000-mapping.dmp

Download
memory/4668-174-0x0000000000000000-mapping.dmp

Download