3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a

General

Target

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Size

83KB
MD5

3ac03c32ba869f1919e36b1595ff3a67
SHA1

2ddd627495c03901e109097b05857aae4a565325
SHA256

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a
SHA512

46bc724fc72a0ec89c243d47751f1e69ea6abe006c3ae70e15a1ea36dfbc963c00baa8c48fdc88ffefc33f537793d72f4c690afc41afd987acff735cf448fad4
SSDEEP

1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWO1P9rLlW:GhfxHNIreQm+Hi2P9rLlW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rundll32.exe

pid process

2160 rundll32.exe

pid	process
2160	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

pid	process
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

Drops file in System32 directory 4 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
File opened for modification	C:\Windows\SysWOW64\¢«.exe	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
File created	C:\Windows\SysWOW64\¢«.exe	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

Drops file in Windows directory 2 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

description	ioc	process
File opened for modification	C:\Windows\system\rundll32.exe	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
File created	C:\Windows\system\rundll32.exe	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

Modifies registry class 15 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1714256343"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1714256343"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

pid	process
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

2160 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exerundll32.exe

pid process

1984 3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
2160 rundll32.exe
2160 rundll32.exe

pid	process
2160	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe

description	pid	process	target process
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe
PID 1984 wrote to memory of 2160	1984	3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe
"C:\Users\Admin\AppData\Local\Temp\3f429a952a17b4aefff320113de4c0003ca263a60c0fb2c3d881130c4777e90a.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system\rundll32.exe
C:\Windows\system\rundll32.exe
2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe
Filesize
76KB

MD5
fe683880ebadbec7124201bab622dd05

SHA1
ec9bea5a79c35c7ad3108b721b3a94a127971df6

SHA256
ea3ef18f3a2ec815a3d59f6fe3bbda81483ad6ac9fadcde3dd7c0d4cb482c065

SHA512
470436b06ecf930c7c7fe6c00267cbf2514af5b4a055321dfb4cabc5207fcd7ba7ebfb818196e8ea5f8b6c40bfb067d4ddf201bd1469182a6c79f1e8f7e5e176

Download Submit
\Windows\system\rundll32.exe
Filesize
80KB

MD5
5515c6200013a4a5377611f936933603

SHA1
b5d2e3681ebd56ca52260f301facd26fd07ed900

SHA256
f10a0f56e9866f1ef01a6115b387dabca44e87f2636ceca84cfdae916659c1a1

SHA512
b8086b86e684bbf808c417751377eed68ecaeba8745729ae7c6cbfed3e43c3f3e12bfe744d65de19630dd653a3eb62b8b28577032e8573a321da5f0ef1bfcccc

Download Submit
memory/1984-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/1984-11-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/1984-19-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/1984-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/1984-22-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2160-20-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads