Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 22:10
Static task
static1
Behavioral task
behavioral1
Sample
f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe
Resource
win10v2004-20230915-en
General
-
Target
f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe
-
Size
75KB
-
MD5
6ba341cfcc42a10afc9c93e8f2cd2002
-
SHA1
dd4840f0f1616eb889a177b85c9cf4224c4211ee
-
SHA256
f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1
-
SHA512
9bb48dd9cb103c9f457c058e0c1baa31324b7a8dd40b4ddfb2b8551c9fb90072a51b6332db05c72983a59ed16b103c0768708d2b2bee46f3d8245e79e8f8b00d
-
SSDEEP
768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWOXz:RshfSWHHNvoLqNwDDGw02eQmh0HjWOXz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2440 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe File created C:\Windows\SysWOW64\¢«.exe f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe File created C:\Windows\SysWOW64\notepad¢¬.exe f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe File created C:\Windows\system\rundll32.exe f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1697235088" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1697235088" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2440 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 2440 rundll32.exe 2440 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1 PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1 PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1 PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1 PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1 PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1 PID 1396 wrote to memory of 2440 1396 f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe 1
Processes
-
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe1⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2440
-
C:\Users\Admin\AppData\Local\Temp\f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe"C:\Users\Admin\AppData\Local\Temp\f763d94277d59808962be33b86df067190ee9b6b80f603b5c24ff6dccef4d9d1.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5ce87292fb44ac8033a35ebd492775641
SHA15ba7d005a290ec6ab3eb507a861af97ef9cda2d6
SHA256b15e73df74cc6f9867b83a295f4d26650639670991906b111c226e75d6912156
SHA512d13e7b589935862723ea18484dc7ef8ab1a7febf586c27604401cc2b6f43dbdb2c8cd74246be85afb9721b23463d3de759f377ac7a8961e8c82b4db75cc7a126
-
Filesize
82KB
MD5baafcdcab3b0dc2d2af8cb707681eaba
SHA112d86bd25c189f489b074e54ebbacb9655a5a43f
SHA25695d0d03f3ad4258cf1ceac43417b7e43fddae309670d8cd4cffe3b89c2fed879
SHA5127fe0c6d46df52be0918a59243fc60f79807b50c16396e872ea8f654c2ca00fa99178ddc1c4ed46266d28be4b10650e30a5a8d76e30bb5372fc0f20ad71bcca07
-
Filesize
82KB
MD5baafcdcab3b0dc2d2af8cb707681eaba
SHA112d86bd25c189f489b074e54ebbacb9655a5a43f
SHA25695d0d03f3ad4258cf1ceac43417b7e43fddae309670d8cd4cffe3b89c2fed879
SHA5127fe0c6d46df52be0918a59243fc60f79807b50c16396e872ea8f654c2ca00fa99178ddc1c4ed46266d28be4b10650e30a5a8d76e30bb5372fc0f20ad71bcca07
-
Filesize
82KB
MD5baafcdcab3b0dc2d2af8cb707681eaba
SHA112d86bd25c189f489b074e54ebbacb9655a5a43f
SHA25695d0d03f3ad4258cf1ceac43417b7e43fddae309670d8cd4cffe3b89c2fed879
SHA5127fe0c6d46df52be0918a59243fc60f79807b50c16396e872ea8f654c2ca00fa99178ddc1c4ed46266d28be4b10650e30a5a8d76e30bb5372fc0f20ad71bcca07
-
Filesize
82KB
MD5baafcdcab3b0dc2d2af8cb707681eaba
SHA112d86bd25c189f489b074e54ebbacb9655a5a43f
SHA25695d0d03f3ad4258cf1ceac43417b7e43fddae309670d8cd4cffe3b89c2fed879
SHA5127fe0c6d46df52be0918a59243fc60f79807b50c16396e872ea8f654c2ca00fa99178ddc1c4ed46266d28be4b10650e30a5a8d76e30bb5372fc0f20ad71bcca07