601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980

Analysis

max time kernel
114s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe
Size

4.8MB
MD5

7d3332cd419ae7efed11fd30c329a6bc
SHA1

207233c8e98ed5b885dcebfa02e015a8ac4f5ab2
SHA256

601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980
SHA512

d4146465dd56b67a6b3fd62d0d160c3744ac5c111294663857f66414d0deb0d2860c3bba0af6b8962a3f8be7fe6255a0dac0f7971a9bcded8b64b459045ffdea
SSDEEP

98304:SuQ9c6Aoix58kEbxq8Qt/myztbiKEMKvUs53qjnNlGDqnGW5P0Joecn5KLe8w:ZQlY5xEut/myzcKEMPsZqWDqnGWyiNnl

Score

8^/10

collection discovery persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

15 1976 rundll32.exe
16 1976 rundll32.exe
24 1976 rundll32.exe
37 1976 rundll32.exe
47 1976 rundll32.exe
49 1976 rundll32.exe
53 1976 rundll32.exe

flow	pid	process
15	1976	rundll32.exe
16	1976	rundll32.exe
24	1976	rundll32.exe
37	1976	rundll32.exe
47	1976	rundll32.exe
49	1976	rundll32.exe
53	1976	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MyriadCAD\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\MyriadCAD.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MyriadCAD\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exe

pid process

1976 rundll32.exe
2904 svchost.exe
2904 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1976 set thread context of 4032	1976	rundll32.exe	rundll32.exe
PID 1976 set thread context of 1676	1976	rundll32.exe	rundll32.exe

Drops file in Program Files directory 14 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\MyriadCAD.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\index.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\server_ok.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4280	2128	WerFault.exe	601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe
4352	2904	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 49 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies registry class 14 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

rundll32.exe

pid	process
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1976 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1976	rundll32.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid	process
4032	rundll32.exe
1976	rundll32.exe
1676	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exerundll32.exe

description	pid	process	target process
PID 2128 wrote to memory of 1976	2128	601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe	rundll32.exe
PID 2128 wrote to memory of 1976	2128	601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe	rundll32.exe
PID 2128 wrote to memory of 1976	2128	601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe	rundll32.exe
PID 1976 wrote to memory of 4032	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 4032	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 4032	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 2216	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 2216	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 2216	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1676	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1676	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 4180	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4180	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4180	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1676	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 4920	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4920	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4920	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3484	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3484	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3484	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 2852	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 2852	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 2852	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 64	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 64	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 64	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1756	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1756	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 1756	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3932	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3932	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3932	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3112	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3112	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3112	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4240	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4240	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4240	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4908	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4908	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4908	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4484	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4484	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 4484	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3936	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3936	1976	rundll32.exe	schtasks.exe
PID 1976 wrote to memory of 3936	1976	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe
"C:\Users\Admin\AppData\Local\Temp\601467592b6be2f05a5b0b2cd957af21a51179d6aaf1970d0710c2ead7ccb980.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll,start
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1976

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14066
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4032

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2216

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14066
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4180

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4920

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3484

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:64

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3112

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4240

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4908

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4484

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3936

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3108

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4120

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3752

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 480
2⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2128 -ip 2128
1⤵
PID:1360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 940
2⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2904 -ip 2904
1⤵
PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\MyriadCAD.dll
Filesize
5.3MB

MD5
d1cd3e62ea61be2db30607d785f99a24

SHA1
84f0258514ebc52fd4a769ee627d809fa9054f6d

SHA256
5991e8864385c2b8b73cefc8cb061060ed9440780a61fedb4bd49901384f0f1b

SHA512
5dd5b0aca19dc1fbcbf1906b7fd46397642c6758e59e8e523212e200eca2e3cf69d9a5e27b62adce68771bae13d482f0ae2597047e76237f55eec6b92c8576be

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\MyriadCAD.dll
Filesize
5.3MB

MD5
d1cd3e62ea61be2db30607d785f99a24

SHA1
84f0258514ebc52fd4a769ee627d809fa9054f6d

SHA256
5991e8864385c2b8b73cefc8cb061060ed9440780a61fedb4bd49901384f0f1b

SHA512
5dd5b0aca19dc1fbcbf1906b7fd46397642c6758e59e8e523212e200eca2e3cf69d9a5e27b62adce68771bae13d482f0ae2597047e76237f55eec6b92c8576be

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
2KB

MD5
2ff808c347a1bd28f3df3bc8873d73d6

SHA1
afc3b29446a1e5ea641db1c5f1521b2f5c814581

SHA256
6d6bb6749a28b69f42fede441d1c84dbff9c3f69938e637eee4fc260d0c92301

SHA512
33c2861f5b1f0b87be1f7a5d59313d5977d284ba70a126541f2daed6297ac35cf11c4f43107148f05da7e4748f49b3e99335d4c2164ba04e0a4f17830afd1706

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftOffice2013Office365Win64.xml
Filesize
10KB

MD5
46353bb25b4eb2e9d26a25744c716563

SHA1
a9a9c2a1260542b5246fd642425dcc2a29a098c1

SHA256
3fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893

SHA512
09027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftSkypeForBusiness2016Win32.xml
Filesize
2KB

MD5
a96d6b6a930974c1144c83310d0ed0c9

SHA1
9d2152987585aafcc5af45ea15ccf0ba8f781b39

SHA256
f0da16198da1b68ab87d913b5def804cd36f4da16df22a7cba52f4f12fe7475d

SHA512
57b622ced6ae1432086130e9a8604ba8d572eb0d6ee6033d5d0cee4740648fc23208ad93b66031cd76661026be794093f4a4e199568f11cbee631529229f9596

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Urpdpfsaas.tmp
Filesize
3.5MB

MD5
2505194e69e0c9b8ed95c0567c34b54e

SHA1
2b6ebc63d04590e270cb0cea837419398b89211d

SHA256
1f6b2346b723f2f3820460d8c3d4f7ebcccd0ddd7a6a0638ef59734be1403367

SHA512
0287d7d8fdfc6964723b0f28f4a5654ff959ceb026aa84a6e723d9fb1690b3c6256d06f02d764489759f1fff964dd72d1e30ef111fa9f09496d47aa07da26f32

Download Submit
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\superbar.png
Filesize
38KB

MD5
45b3b7ada6575d1623bd52d029d7cf96

SHA1
ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4

SHA256
0f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca

SHA512
c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
d94dd9ce6ee15d435a46c97c43968bca

SHA1
9ecdad65b43943544553a41d16076ff2b5ee25ab

SHA256
535467ef79d4dbbde30787a15307bd09199daf32c53c1f647ddcf201fd6ae005

SHA512
17e0159e3f63d79951714ea42dece5f25078694c5f9d5ef8502b70968c0e5f6f60c8995c21491c2273ecbb766e2bb3d1832cf102deb17d547659360d72215ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll
Filesize
5.3MB

MD5
d94dd9ce6ee15d435a46c97c43968bca

SHA1
9ecdad65b43943544553a41d16076ff2b5ee25ab

SHA256
535467ef79d4dbbde30787a15307bd09199daf32c53c1f647ddcf201fd6ae005

SHA512
17e0159e3f63d79951714ea42dece5f25078694c5f9d5ef8502b70968c0e5f6f60c8995c21491c2273ecbb766e2bb3d1832cf102deb17d547659360d72215ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Efduroudsheuydo.tmp
Filesize
3.5MB

MD5
2505194e69e0c9b8ed95c0567c34b54e

SHA1
2b6ebc63d04590e270cb0cea837419398b89211d

SHA256
1f6b2346b723f2f3820460d8c3d4f7ebcccd0ddd7a6a0638ef59734be1403367

SHA512
0287d7d8fdfc6964723b0f28f4a5654ff959ceb026aa84a6e723d9fb1690b3c6256d06f02d764489759f1fff964dd72d1e30ef111fa9f09496d47aa07da26f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230220_205452779.html
Filesize
94KB

MD5
311a9ba3c40e0ec51181edd2ad3db355

SHA1
9dcf352a7cabc3b586fd3e4b4150a71ccbc917ce

SHA256
ad706db2b91933c182f4bc59dff80b83eca0311c8f8c84f726a05a3731d48cd7

SHA512
4e511bb6bcf9e1534464bd3c639d73f18bf676dc9d126dd7a0d625800c5a9185130db1234acfb3e204909829bd7d4debdba7f9a128e4953c7f78b4e12251de75

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZADSVWH-20230220-2101.log
Filesize
59KB

MD5
3d8be8fcd43cc2028459f926f736dc27

SHA1
62820333144031a2ca64eb287a6b9a82c53ada30

SHA256
e131791e857b664433a9b18259c68e46eaa1c30559b2268d5016f0fc42652360

SHA512
d51905b054105060bbeed42254bc653d74dd43d0608cf966bbef4b91d79e1ad4255789daafc9c78c83ab119c7f047aded8721a4b214d768a1e662665fa891266

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pueyifswwq
Filesize
92KB

MD5
bae565bc385845e730347df331491051

SHA1
5da4a3def18f75d007cee6ee334f8e36b0c377bc

SHA256
c6aeae82d3a49e6ce016e1f02fa93c918d50934f93847ae371816e5fdeb79dd5

SHA512
6e9120dca1ec8acadbccff6c99bf81ccb6e91b53019be1b5bda35fa5a5be8e18fd001fcda8f01096123d3aae1e71e0262910dad846f756c513493c92387232a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ueptwauffw
Filesize
46KB

MD5
b13fcb3223116f6eec60be9143cae98b

SHA1
9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

SHA256
961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

SHA512
89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
220d53381f1f1774b4cdaf18a673a0a9

SHA1
c23d333fe51a0d1662098446a6430787e6a3c1d9

SHA256
7655c6a46dadece4557e8e79ffba82f56650d89a73d950e5082ab00de9de0107

SHA512
26911b78c6b45ff6a792069133917005c0ccacdc81083ba0eea6888bcd1c1cbbe77745672b08a545c9540a1c11aa8b5412f8c778b9ccb79270ec5a25b2f59ac0

Download Submit
\??\c:\program files (x86)\windows sidebar\shared gadgets\myriadcad.dll
Filesize
5.3MB

MD5
d1cd3e62ea61be2db30607d785f99a24

SHA1
84f0258514ebc52fd4a769ee627d809fa9054f6d

SHA256
5991e8864385c2b8b73cefc8cb061060ed9440780a61fedb4bd49901384f0f1b

SHA512
5dd5b0aca19dc1fbcbf1906b7fd46397642c6758e59e8e523212e200eca2e3cf69d9a5e27b62adce68771bae13d482f0ae2597047e76237f55eec6b92c8576be

Download Submit
memory/1676-303-0x00000224F8AB0000-0x00000224F8D52000-memory.dmp

Filesize
2.6MB

Download
memory/1976-177-0x0000000000400000-0x0000000000964000-memory.dmp

Filesize
5.4MB

Download
memory/1976-235-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-178-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-179-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-180-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-181-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-182-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-184-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-183-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/1976-185-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-176-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-174-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-173-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-201-0x0000000000400000-0x0000000000964000-memory.dmp

Filesize
5.4MB

Download
memory/1976-171-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-170-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-139-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1976-169-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-168-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-295-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-157-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-156-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-155-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/1976-154-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-153-0x0000000000400000-0x0000000000964000-memory.dmp

Filesize
5.4MB

Download
memory/1976-294-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1976-293-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-230-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-291-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-232-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-290-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-289-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-287-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-236-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-239-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-240-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1976-241-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-242-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/1976-140-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1976-244-0x0000000003910000-0x0000000004456000-memory.dmp

Filesize
11.3MB

Download
memory/1976-251-0x0000000000400000-0x0000000000964000-memory.dmp

Filesize
5.4MB

Download
memory/2128-134-0x00000000052F0000-0x0000000005996000-memory.dmp

Filesize
6.6MB

Download
memory/2128-135-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2128-141-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2904-247-0x0000000003190000-0x0000000003CD6000-memory.dmp

Filesize
11.3MB

Download
memory/2904-221-0x0000000001600000-0x0000000001B64000-memory.dmp

Filesize
5.4MB

Download
memory/2904-222-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2904-229-0x0000000002270000-0x0000000002DB6000-memory.dmp

Filesize
11.3MB

Download
memory/2904-263-0x0000000001600000-0x0000000001B64000-memory.dmp

Filesize
5.4MB

Download
memory/2904-233-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2904-238-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2904-234-0x0000000002270000-0x0000000002DB6000-memory.dmp

Filesize
11.3MB

Download
memory/4032-250-0x0000029A25E00000-0x0000029A260A2000-memory.dmp

Filesize
2.6MB

Download
memory/4032-285-0x0000029A25E00000-0x0000029A260A2000-memory.dmp

Filesize
2.6MB

Download
memory/4032-243-0x00007FFDF9F10000-0x00007FFDF9F11000-memory.dmp

Filesize
4KB

Download
memory/4032-245-0x0000029A25CA0000-0x0000029A25DE0000-memory.dmp

Filesize
1.2MB

Download
memory/4032-246-0x0000029A25CA0000-0x0000029A25DE0000-memory.dmp

Filesize
1.2MB

Download
memory/4032-249-0x00000000009E0000-0x0000000000C71000-memory.dmp

Filesize
2.6MB

Download
memory/4032-248-0x0000029A25E00000-0x0000029A260A2000-memory.dmp

Filesize
2.6MB

Download