Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 20:23
Static task
static1
Behavioral task
behavioral1
Sample
0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe
Resource
win10v2004-20221111-en
General
-
Target
0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe
-
Size
3.7MB
-
MD5
4d48f11f0abc973ab3acf12de2211865
-
SHA1
53c161c0be82c5c592f843341a5ed64fd9cd7aef
-
SHA256
0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558
-
SHA512
cb50822e5c5543ec6ae96375277c62e6cadb69f250ac4e3bd3d7e9480d22eabcbdf02bd2ea1f69d4c70767b34ba7b94fb07bdcd17bc0d3e662822c9fa26dcfc9
-
SSDEEP
98304:oANvCTRrDO3++95Kz5dPGC9lO9MrYsD1gsGuLsj:gVHOh9gXGkmM8Td
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 22 3548 rundll32.exe 45 3548 rundll32.exe 47 3548 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Measure.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Measure..dll" rundll32.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Measure.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exesvchost.exerundll32.exepid process 3548 rundll32.exe 3548 rundll32.exe 2168 svchost.exe 2168 svchost.exe 3212 rundll32.exe 3212 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3548 set thread context of 4468 3548 rundll32.exe rundll32.exe -
Drops file in Program Files directory 30 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroRd32Info.exe rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\reflow.api rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\ccme_asym.dll rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\Redact_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\FullTrustNotifier.exe rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\main-cef-mac.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroTextExtractor.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\InAppSign.aapp rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\warning.gif rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\3difr.x3d rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroLayoutRecognizer.exe rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\close_x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif rundll32.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\AppCenter_R.aapp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2512 4584 WerFault.exe 0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exerundll32.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
svchost.exerundll32.exepid process 2168 svchost.exe 2168 svchost.exe 3548 rundll32.exe 3548 rundll32.exe 2168 svchost.exe 2168 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3548 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4468 rundll32.exe 3548 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exerundll32.exesvchost.exedescription pid process target process PID 4584 wrote to memory of 3548 4584 0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe rundll32.exe PID 4584 wrote to memory of 3548 4584 0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe rundll32.exe PID 4584 wrote to memory of 3548 4584 0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe rundll32.exe PID 3548 wrote to memory of 4468 3548 rundll32.exe rundll32.exe PID 3548 wrote to memory of 4468 3548 rundll32.exe rundll32.exe PID 3548 wrote to memory of 4468 3548 rundll32.exe rundll32.exe PID 2168 wrote to memory of 3212 2168 svchost.exe rundll32.exe PID 2168 wrote to memory of 3212 2168 svchost.exe rundll32.exe PID 2168 wrote to memory of 3212 2168 svchost.exe rundll32.exe PID 3548 wrote to memory of 4012 3548 rundll32.exe schtasks.exe PID 3548 wrote to memory of 4012 3548 rundll32.exe schtasks.exe PID 3548 wrote to memory of 4012 3548 rundll32.exe schtasks.exe PID 3548 wrote to memory of 4864 3548 rundll32.exe schtasks.exe PID 3548 wrote to memory of 4864 3548 rundll32.exe schtasks.exe PID 3548 wrote to memory of 4864 3548 rundll32.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe"C:\Users\Admin\AppData\Local\Temp\0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239953⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 4842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 45841⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows photo viewer\en-us\measure..dll",d1wbUVc=2⤵
- Loads dropped DLL
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dllFilesize
4.2MB
MD59e1032079650c9aa4a24199d5526c835
SHA13faeba4882ddaf3d482727331994f9e3019212e9
SHA25622534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da
SHA512d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dllFilesize
4.2MB
MD59e1032079650c9aa4a24199d5526c835
SHA13faeba4882ddaf3d482727331994f9e3019212e9
SHA25622534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da
SHA512d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dllFilesize
4.2MB
MD59e1032079650c9aa4a24199d5526c835
SHA13faeba4882ddaf3d482727331994f9e3019212e9
SHA25622534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da
SHA512d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dllFilesize
4.2MB
MD59e1032079650c9aa4a24199d5526c835
SHA13faeba4882ddaf3d482727331994f9e3019212e9
SHA25622534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da
SHA512d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\C2RManifest.Proof.Culture.msi.16.fr-fr.xmlFilesize
23KB
MD537cde9afb1540513bd564d71867021e0
SHA1e319abb6093025dccc55618fb407c1182ccdafe7
SHA256516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f
SHA5126746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
16KB
MD54194b927b32c56bb3a5ed72c164c917e
SHA1ec60c6bb8b2d0181408c65b3456b7b3b92cca134
SHA25686d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8
SHA512c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\MicrosoftLync2013Win64.xmlFilesize
2KB
MD5e3a68bbd204d36868c6f5570e4576675
SHA1bc5c44144e8e962c62f7febabdb3d0ba20a8162a
SHA25611031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac
SHA5127c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\MicrosoftOffice2010Win32.xmlFilesize
71KB
MD5b08a8c2f6941a1a12aa05180aec1dbb9
SHA1c09f9207502aca3866b182d79221addcca76f4d1
SHA256843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f
SHA5128de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Microsoft_Office_Office Feature Updates.xmlFilesize
6KB
MD5b293170595e747ad85d1fb7f2ee06eea
SHA10d09a9c16ba3a694aab8fe232a35b719201c0955
SHA25657dede2ef5f1d9538d211229bd5551c88c3c2df627782a7eb6ae98f8051f2535
SHA5120fd0a57941c8e394598e88183c258ee70f54e3c80b32610cf626df18f55d95fd9149ea6e1d055c317236e8b3f0980cf70314392f94e77144ad3fd9519142f12b
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Shqhdpq.tmpFilesize
3.5MB
MD59890a528f4cf15dd6626366926812607
SHA1db98be61107df120b6f5d0ade50da50aeb9766e0
SHA256bc42a03050876544e9895350f14117cff16e96be33de3014d7f9c4cbd95d2075
SHA512d934eeaf7c15929f8eb13913813efd8666850c3b257266e7682f696924830558fe1ccc101aaec8dc8f179ad4fc1e8f28d3ffa19ba7cbc80758e65e774d5d41b5
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\abcpy.iniFilesize
608B
MD5818d3a4899c5596d8d8da00a87e6d8bb
SHA14e0e04f5ca5d81661702877852fd9d059722762f
SHA2569986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d
SHA5121cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\behavior.xmlFilesize
1KB
MD56c23b0f54e5c427ff8f3db170b62616f
SHA144f1d0f71cbab0e05d9a563bf9e92759898ca4e9
SHA2567cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b
SHA512f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\print_property.icoFilesize
58KB
MD530d7062e069bc0a9b34f4034090c1aae
SHA1e5fcedd8e4cc0463c0bc6912b1791f2876e28a61
SHA25624e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000
SHA51285dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\resource.xmlFilesize
1KB
MD509e877cc25ec3ade6e0d56000025e7ae
SHA1fef683c766926d84804867a6a711c200e2ceb406
SHA256995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92
SHA51202b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.jsonFilesize
121B
MD570bdaa5c409965a452e47aa001033c53
SHA1594fad49def244b2a459ddd86bf1763e190917e3
SHA256433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58
SHA51262f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc
-
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.jsonFilesize
121B
MD5656d587b76da4f43efb839ef9a83026e
SHA1daf648eb7f98cfcec644be29d92c1990c1e56b2c
SHA256e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d
SHA51219251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7
-
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dllFilesize
4.2MB
MD583e42a93a403b51d6975ee3764d39dec
SHA12a24c78afc3dc97f9be694cf4b5ba8efbadf537b
SHA256ad08c7e5036a57882f6c198acb95362b8fb989ba9e8eabf91aef313a73984552
SHA512f40551ac54395976c176ee711932b9731a2e012166198be80b1028e6f9e7d5ad6bf851b6653883562c28cc243f3f306d47ba2fe1ca2c1c4617cd66fe7e787dee
-
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dllFilesize
4.2MB
MD583e42a93a403b51d6975ee3764d39dec
SHA12a24c78afc3dc97f9be694cf4b5ba8efbadf537b
SHA256ad08c7e5036a57882f6c198acb95362b8fb989ba9e8eabf91aef313a73984552
SHA512f40551ac54395976c176ee711932b9731a2e012166198be80b1028e6f9e7d5ad6bf851b6653883562c28cc243f3f306d47ba2fe1ca2c1c4617cd66fe7e787dee
-
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dllFilesize
4.2MB
MD583e42a93a403b51d6975ee3764d39dec
SHA12a24c78afc3dc97f9be694cf4b5ba8efbadf537b
SHA256ad08c7e5036a57882f6c198acb95362b8fb989ba9e8eabf91aef313a73984552
SHA512f40551ac54395976c176ee711932b9731a2e012166198be80b1028e6f9e7d5ad6bf851b6653883562c28cc243f3f306d47ba2fe1ca2c1c4617cd66fe7e787dee
-
\??\c:\program files (x86)\windows photo viewer\en-us\measure..dllFilesize
4.2MB
MD59e1032079650c9aa4a24199d5526c835
SHA13faeba4882ddaf3d482727331994f9e3019212e9
SHA25622534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da
SHA512d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a
-
memory/824-192-0x0000000000000000-mapping.dmp
-
memory/2032-191-0x0000000000000000-mapping.dmp
-
memory/2168-173-0x0000000001E20000-0x000000000296E000-memory.dmpFilesize
11.3MB
-
memory/2168-172-0x0000000001E20000-0x000000000296E000-memory.dmpFilesize
11.3MB
-
memory/2168-190-0x0000000001E20000-0x000000000296E000-memory.dmpFilesize
11.3MB
-
memory/2168-160-0x0000000001300000-0x000000000173C000-memory.dmpFilesize
4.2MB
-
memory/2168-175-0x0000000001E20000-0x000000000296E000-memory.dmpFilesize
11.3MB
-
memory/3212-187-0x0000000002AF0000-0x000000000363E000-memory.dmpFilesize
11.3MB
-
memory/3212-182-0x0000000002AF0000-0x000000000363E000-memory.dmpFilesize
11.3MB
-
memory/3212-181-0x0000000002AF0000-0x000000000363E000-memory.dmpFilesize
11.3MB
-
memory/3212-180-0x0000000002AF0000-0x000000000363E000-memory.dmpFilesize
11.3MB
-
memory/3212-179-0x0000000001FD0000-0x000000000240C000-memory.dmpFilesize
4.2MB
-
memory/3212-176-0x0000000000000000-mapping.dmp
-
memory/3364-193-0x0000000000000000-mapping.dmp
-
memory/3548-141-0x0000000003DA0000-0x00000000048EE000-memory.dmpFilesize
11.3MB
-
memory/3548-149-0x00000000049F0000-0x0000000004B30000-memory.dmpFilesize
1.2MB
-
memory/3548-144-0x00000000049F0000-0x0000000004B30000-memory.dmpFilesize
1.2MB
-
memory/3548-143-0x0000000003DA0000-0x00000000048EE000-memory.dmpFilesize
11.3MB
-
memory/3548-142-0x0000000003DA0000-0x00000000048EE000-memory.dmpFilesize
11.3MB
-
memory/3548-156-0x0000000003DA0000-0x00000000048EE000-memory.dmpFilesize
11.3MB
-
memory/3548-146-0x00000000049F0000-0x0000000004B30000-memory.dmpFilesize
1.2MB
-
memory/3548-134-0x0000000000000000-mapping.dmp
-
memory/3548-153-0x0000000004A69000-0x0000000004A6B000-memory.dmpFilesize
8KB
-
memory/3548-147-0x00000000049F0000-0x0000000004B30000-memory.dmpFilesize
1.2MB
-
memory/3548-148-0x00000000049F0000-0x0000000004B30000-memory.dmpFilesize
1.2MB
-
memory/3548-145-0x00000000049F0000-0x0000000004B30000-memory.dmpFilesize
1.2MB
-
memory/3548-139-0x0000000002C40000-0x000000000307C000-memory.dmpFilesize
4.2MB
-
memory/4012-188-0x0000000000000000-mapping.dmp
-
memory/4468-150-0x00007FF6AEC56890-mapping.dmp
-
memory/4468-151-0x0000020B45F20000-0x0000020B46060000-memory.dmpFilesize
1.2MB
-
memory/4468-152-0x0000020B45F20000-0x0000020B46060000-memory.dmpFilesize
1.2MB
-
memory/4468-154-0x00000000001C0000-0x0000000000451000-memory.dmpFilesize
2.6MB
-
memory/4468-155-0x0000020B44660000-0x0000020B44903000-memory.dmpFilesize
2.6MB
-
memory/4584-135-0x0000000000400000-0x00000000008E2000-memory.dmpFilesize
4.9MB
-
memory/4584-140-0x0000000000400000-0x00000000008E2000-memory.dmpFilesize
4.9MB
-
memory/4584-132-0x00000000028F8000-0x0000000002C70000-memory.dmpFilesize
3.5MB
-
memory/4584-133-0x0000000002C80000-0x0000000003156000-memory.dmpFilesize
4.8MB
-
memory/4864-189-0x0000000000000000-mapping.dmp