0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe
Size

3.7MB
MD5

4d48f11f0abc973ab3acf12de2211865
SHA1

53c161c0be82c5c592f843341a5ed64fd9cd7aef
SHA256

0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558
SHA512

cb50822e5c5543ec6ae96375277c62e6cadb69f250ac4e3bd3d7e9480d22eabcbdf02bd2ea1f69d4c70767b34ba7b94fb07bdcd17bc0d3e662822c9fa26dcfc9
SSDEEP

98304:oANvCTRrDO3++95Kz5dPGC9lO9MrYsD1gsGuLsj:gVHOh9gXGkmM8Td

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

22 3548 rundll32.exe
45 3548 rundll32.exe
47 3548 rundll32.exe

flow	pid	process
22	3548	rundll32.exe
45	3548	rundll32.exe
47	3548	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Measure.\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Measure..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Measure.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3548 rundll32.exe
3548 rundll32.exe
2168 svchost.exe
2168 svchost.exe
3212 rundll32.exe
3212 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3548	rundll32.exe
3548	rundll32.exe
2168	svchost.exe
2168	svchost.exe
3212	rundll32.exe
3212	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3548 set thread context of 4468 3548 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3548 set thread context of 4468	3548	rundll32.exe	rundll32.exe

Drops file in Program Files directory 30 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroRd32Info.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\reflow.api	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\ccme_asym.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\main-cef-mac.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\warning.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\3difr.x3d	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\AcroLayoutRecognizer.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\close_x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\AppCenter_R.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2512 4584 WerFault.exe 0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe

pid	pid_target	process	target process
2512	4584	WerFault.exe	0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

svchost.exerundll32.exe

pid process

2168 svchost.exe
2168 svchost.exe
3548 rundll32.exe
3548 rundll32.exe
2168 svchost.exe
2168 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3548 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4468 rundll32.exe
3548 rundll32.exe

pid	process
2168	svchost.exe
2168	svchost.exe
3548	rundll32.exe
3548	rundll32.exe
2168	svchost.exe
2168	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3548	rundll32.exe

pid	process
4468	rundll32.exe
3548	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4584 wrote to memory of 3548	4584	0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe	rundll32.exe
PID 4584 wrote to memory of 3548	4584	0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe	rundll32.exe
PID 4584 wrote to memory of 3548	4584	0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe	rundll32.exe
PID 3548 wrote to memory of 4468	3548	rundll32.exe	rundll32.exe
PID 3548 wrote to memory of 4468	3548	rundll32.exe	rundll32.exe
PID 3548 wrote to memory of 4468	3548	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 3212	2168	svchost.exe	rundll32.exe
PID 2168 wrote to memory of 3212	2168	svchost.exe	rundll32.exe
PID 2168 wrote to memory of 3212	2168	svchost.exe	rundll32.exe
PID 3548 wrote to memory of 4012	3548	rundll32.exe	schtasks.exe
PID 3548 wrote to memory of 4012	3548	rundll32.exe	schtasks.exe
PID 3548 wrote to memory of 4012	3548	rundll32.exe	schtasks.exe
PID 3548 wrote to memory of 4864	3548	rundll32.exe	schtasks.exe
PID 3548 wrote to memory of 4864	3548	rundll32.exe	schtasks.exe
PID 3548 wrote to memory of 4864	3548	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe
"C:\Users\Admin\AppData\Local\Temp\0330eb5e2f44d2e71b863f03c056f1c74995846587ccfba437d53e4e2e4b9558.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3548

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23995
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4012

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:824

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 484
2⤵
- Program crash
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 4584
1⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows photo viewer\en-us\measure..dll",d1wbUVc=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dll
Filesize
4.2MB

MD5
9e1032079650c9aa4a24199d5526c835

SHA1
3faeba4882ddaf3d482727331994f9e3019212e9

SHA256
22534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da

SHA512
d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dll
Filesize
4.2MB

MD5
9e1032079650c9aa4a24199d5526c835

SHA1
3faeba4882ddaf3d482727331994f9e3019212e9

SHA256
22534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da

SHA512
d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dll
Filesize
4.2MB

MD5
9e1032079650c9aa4a24199d5526c835

SHA1
3faeba4882ddaf3d482727331994f9e3019212e9

SHA256
22534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da

SHA512
d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\Measure..dll
Filesize
4.2MB

MD5
9e1032079650c9aa4a24199d5526c835

SHA1
3faeba4882ddaf3d482727331994f9e3019212e9

SHA256
22534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da

SHA512
d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml
Filesize
23KB

MD5
37cde9afb1540513bd564d71867021e0

SHA1
e319abb6093025dccc55618fb407c1182ccdafe7

SHA256
516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f

SHA512
6746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
16KB

MD5
4194b927b32c56bb3a5ed72c164c917e

SHA1
ec60c6bb8b2d0181408c65b3456b7b3b92cca134

SHA256
86d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8

SHA512
c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\MicrosoftLync2013Win64.xml
Filesize
2KB

MD5
e3a68bbd204d36868c6f5570e4576675

SHA1
bc5c44144e8e962c62f7febabdb3d0ba20a8162a

SHA256
11031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac

SHA512
7c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\MicrosoftOffice2010Win32.xml
Filesize
71KB

MD5
b08a8c2f6941a1a12aa05180aec1dbb9

SHA1
c09f9207502aca3866b182d79221addcca76f4d1

SHA256
843f89d7b8b11907ee5dea2e0108dbb10ce3883d3b7505c55f4e1082db879d3f

SHA512
8de3748bd731835154f3d371ca0174c2b17da64fd39d479b132947304e6ff1d7f95e344aad64b6b9aa831ae37b3ed00d3a05efaf6aed67619e9d69a1e9b89bf7

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Microsoft_Office_Office Feature Updates.xml
Filesize
6KB

MD5
b293170595e747ad85d1fb7f2ee06eea

SHA1
0d09a9c16ba3a694aab8fe232a35b719201c0955

SHA256
57dede2ef5f1d9538d211229bd5551c88c3c2df627782a7eb6ae98f8051f2535

SHA512
0fd0a57941c8e394598e88183c258ee70f54e3c80b32610cf626df18f55d95fd9149ea6e1d055c317236e8b3f0980cf70314392f94e77144ad3fd9519142f12b

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Shqhdpq.tmp
Filesize
3.5MB

MD5
9890a528f4cf15dd6626366926812607

SHA1
db98be61107df120b6f5d0ade50da50aeb9766e0

SHA256
bc42a03050876544e9895350f14117cff16e96be33de3014d7f9c4cbd95d2075

SHA512
d934eeaf7c15929f8eb13913813efd8666850c3b257266e7682f696924830558fe1ccc101aaec8dc8f179ad4fc1e8f28d3ffa19ba7cbc80758e65e774d5d41b5

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\abcpy.ini
Filesize
608B

MD5
818d3a4899c5596d8d8da00a87e6d8bb

SHA1
4e0e04f5ca5d81661702877852fd9d059722762f

SHA256
9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d

SHA512
1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\behavior.xml
Filesize
1KB

MD5
6c23b0f54e5c427ff8f3db170b62616f

SHA1
44f1d0f71cbab0e05d9a563bf9e92759898ca4e9

SHA256
7cfdc107f1bc076ca39ee36960bbb1d64a6c9faac9ba73a106f6e85224da4a1b

SHA512
f511e1aa2f7dcac52ad5452ef8e9e403a77b55a6e9c7bf8248db00e85cee61f1e28ebe6470084a1f22cf64664b8a9ec84975afda1e26e348b4948de4583313a6

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\print_property.ico
Filesize
58KB

MD5
30d7062e069bc0a9b34f4034090c1aae

SHA1
e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

SHA256
24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

SHA512
85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\resource.xml
Filesize
1KB

MD5
09e877cc25ec3ade6e0d56000025e7ae

SHA1
fef683c766926d84804867a6a711c200e2ceb406

SHA256
995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92

SHA512
02b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
Filesize
121B

MD5
70bdaa5c409965a452e47aa001033c53

SHA1
594fad49def244b2a459ddd86bf1763e190917e3

SHA256
433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58

SHA512
62f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json
Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
83e42a93a403b51d6975ee3764d39dec

SHA1
2a24c78afc3dc97f9be694cf4b5ba8efbadf537b

SHA256
ad08c7e5036a57882f6c198acb95362b8fb989ba9e8eabf91aef313a73984552

SHA512
f40551ac54395976c176ee711932b9731a2e012166198be80b1028e6f9e7d5ad6bf851b6653883562c28cc243f3f306d47ba2fe1ca2c1c4617cd66fe7e787dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
83e42a93a403b51d6975ee3764d39dec

SHA1
2a24c78afc3dc97f9be694cf4b5ba8efbadf537b

SHA256
ad08c7e5036a57882f6c198acb95362b8fb989ba9e8eabf91aef313a73984552

SHA512
f40551ac54395976c176ee711932b9731a2e012166198be80b1028e6f9e7d5ad6bf851b6653883562c28cc243f3f306d47ba2fe1ca2c1c4617cd66fe7e787dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll
Filesize
4.2MB

MD5
83e42a93a403b51d6975ee3764d39dec

SHA1
2a24c78afc3dc97f9be694cf4b5ba8efbadf537b

SHA256
ad08c7e5036a57882f6c198acb95362b8fb989ba9e8eabf91aef313a73984552

SHA512
f40551ac54395976c176ee711932b9731a2e012166198be80b1028e6f9e7d5ad6bf851b6653883562c28cc243f3f306d47ba2fe1ca2c1c4617cd66fe7e787dee

Download Submit
\??\c:\program files (x86)\windows photo viewer\en-us\measure..dll
Filesize
4.2MB

MD5
9e1032079650c9aa4a24199d5526c835

SHA1
3faeba4882ddaf3d482727331994f9e3019212e9

SHA256
22534e21d8baf06a099d15014b4c11c3bf1793e00ccb16d185ed26d2a93707da

SHA512
d63b69f16f9405bcbd5792084a462072560f67e52c54cc64acdd17aed102650bbb80ef387364605336518b56868f79706091e8fef9ece7159c9c212105b2df8a

Download Submit
memory/824-192-0x0000000000000000-mapping.dmp

Download
memory/2032-191-0x0000000000000000-mapping.dmp

Download
memory/2168-173-0x0000000001E20000-0x000000000296E000-memory.dmp

Filesize
11.3MB

Download
memory/2168-172-0x0000000001E20000-0x000000000296E000-memory.dmp

Filesize
11.3MB

Download
memory/2168-190-0x0000000001E20000-0x000000000296E000-memory.dmp

Filesize
11.3MB

Download
memory/2168-160-0x0000000001300000-0x000000000173C000-memory.dmp

Filesize
4.2MB

Download
memory/2168-175-0x0000000001E20000-0x000000000296E000-memory.dmp

Filesize
11.3MB

Download
memory/3212-187-0x0000000002AF0000-0x000000000363E000-memory.dmp

Filesize
11.3MB

Download
memory/3212-182-0x0000000002AF0000-0x000000000363E000-memory.dmp

Filesize
11.3MB

Download
memory/3212-181-0x0000000002AF0000-0x000000000363E000-memory.dmp

Filesize
11.3MB

Download
memory/3212-180-0x0000000002AF0000-0x000000000363E000-memory.dmp

Filesize
11.3MB

Download
memory/3212-179-0x0000000001FD0000-0x000000000240C000-memory.dmp

Filesize
4.2MB

Download
memory/3212-176-0x0000000000000000-mapping.dmp

Download
memory/3364-193-0x0000000000000000-mapping.dmp

Download
memory/3548-141-0x0000000003DA0000-0x00000000048EE000-memory.dmp

Filesize
11.3MB

Download
memory/3548-149-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/3548-144-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/3548-143-0x0000000003DA0000-0x00000000048EE000-memory.dmp

Filesize
11.3MB

Download
memory/3548-142-0x0000000003DA0000-0x00000000048EE000-memory.dmp

Filesize
11.3MB

Download
memory/3548-156-0x0000000003DA0000-0x00000000048EE000-memory.dmp

Filesize
11.3MB

Download
memory/3548-146-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/3548-134-0x0000000000000000-mapping.dmp

Download
memory/3548-153-0x0000000004A69000-0x0000000004A6B000-memory.dmp

Filesize
8KB

Download
memory/3548-147-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/3548-148-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/3548-145-0x00000000049F0000-0x0000000004B30000-memory.dmp

Filesize
1.2MB

Download
memory/3548-139-0x0000000002C40000-0x000000000307C000-memory.dmp

Filesize
4.2MB

Download
memory/4012-188-0x0000000000000000-mapping.dmp

Download
memory/4468-150-0x00007FF6AEC56890-mapping.dmp

Download
memory/4468-151-0x0000020B45F20000-0x0000020B46060000-memory.dmp

Filesize
1.2MB

Download
memory/4468-152-0x0000020B45F20000-0x0000020B46060000-memory.dmp

Filesize
1.2MB

Download
memory/4468-154-0x00000000001C0000-0x0000000000451000-memory.dmp

Filesize
2.6MB

Download
memory/4468-155-0x0000020B44660000-0x0000020B44903000-memory.dmp

Filesize
2.6MB

Download
memory/4584-135-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4584-140-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4584-132-0x00000000028F8000-0x0000000002C70000-memory.dmp

Filesize
3.5MB

Download
memory/4584-133-0x0000000002C80000-0x0000000003156000-memory.dmp

Filesize
4.8MB

Download
memory/4864-189-0x0000000000000000-mapping.dmp

Download