Overview

overview

7

Static

static

3

0dcdb9db02...26.exe

windows7-x64

7

0dcdb9db02...26.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe

  • Size

    84KB

  • MD5

    965696ab0556f35508631bd45dc75e76

  • SHA1

    c44973344f8aa94228cc5623bd21faa20d42b2bb

  • SHA256

    0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226

  • SHA512

    71ebf8d8c391630f7fe1d6673dfe046e1fb1a23392c72ffa4776256cb9d0ea8232cda7cb897e72b82e1caae2ebc470533213e1c5a23e1bac1284eb707111625d

  • SSDEEP

    1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOJAfYs:GhfxHNIreQm+HiyAfYs

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe
    "C:\Users\Admin\AppData\Local\Temp\0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\system\rundll32.exe
      C:\Windows\system\rundll32.exe
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\notepad¢¬.exe
    Filesize

    73KB

    MD5

    9f9a8d6c0c6edd088970947945cfe3d8

    SHA1

    96b6be2416cde316c8b7dae7bc935e60940dab47

    SHA256

    dcd1ab9db5539a5b4807eed962308d015f9af2a3423cbaaca9ecfad9d729ce83

    SHA512

    cd9203b3a094fa18cd2a5ffdbb7b94114c1459ca6dff162d4e9a543dba842bf2c38d72604198ad0554bc380babcb22e421b91cec7d3814c8d939d81e6423f815

    Download Submit
  • C:\Windows\System\rundll32.exe
    Filesize

    83KB

    MD5

    bb5cc8a18e6ae13d4f0483f65c2ba871

    SHA1

    badacf236317d8796058f39344e5d0706e317759

    SHA256

    6a2af55af8f69dc2f8e0b698b73c0280bc4af46a7014aab4b7ce829f4bb614d5

    SHA512

    8ed9d27633a9dd629aea35405980b5e59e44eb7e483fe999e1da7cd903df44a9b8e2d6aadb3ef165a7ecf1aab1a158a52c7731d1a156ae0640f2c4436be6cdf8

    Download Submit
  • memory/1028-0-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download
  • memory/1028-13-0x0000000000400000-0x0000000000415A00-memory.dmp
    Filesize

    86KB

    Download