162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6

General

Target

162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Size

76KB
MD5

412b6af01f6f2bc9e9a51c59ccdf3011
SHA1

9971ee02504e2a839158cfe35bf734a7bca58825
SHA256

162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6
SHA512

41a2a1ea4cc0c1d9b2d77f65ca462899c29b9ca090a163073a7aa2e46fe159f5053aac92c0520b23ec9b3928509680356cb9ef90b20230f50ccf552ed4c5b3a5
SSDEEP

1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOaTh:GhfxHNIreQm+Hi3Th

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
620	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
File created	C:\Windows\SysWOW64\¢«.exe	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
File created	C:\Windows\system\rundll32.exe	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1697278065"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1697278065"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
620	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
620	rundll32.exe
620	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28
PID 292 wrote to memory of 620	292	162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe	28

C:\Users\Admin\AppData\Local\Temp\162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe
"C:\Users\Admin\AppData\Local\Temp\162aab9f88fdc5b7a2d7bd8820800ecdf5dfc31dd63fb60118c63d5aee001dc6.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
75KB

MD5
eff1f504165e2a1d8a7fb07a3f4d802f

SHA1
31d61ae2c7ee53dd7ae6c86c779cbefd84c8c74e

SHA256
0d3c59fdbb66ad092e85752f49ea9161f492a92880e218ede0dc8f960a9b911e

SHA512
1a26b6e90cd70dabf56be7f9317b4fb38bbaebc900851f06128b06b1ebb9aa56da51aee2305b50cf4006609a4f930abe8d90e1a9d5f94918026599d7af24aede

Download Submit
C:\Windows\system\rundll32.exe

Filesize
80KB

MD5
e52bf6271afa20cfd7eca3931cc46110

SHA1
152dee7397174d7e7f79c90651ca6cde9d72df19

SHA256
cf7194daefc6f4d626a9d221cf22877b81b54d0ab4a57e646943b2db9e626060

SHA512
c437c710957ec2e23b4029e76d039f27260f04102214c9d388662f3315e191ad420a9384f1cdc6ea6541167ce81aa8751398a1e2a089a83626b89bd0f6bd9acc

Download Submit
C:\Windows\system\rundll32.exe

Filesize
80KB

MD5
e52bf6271afa20cfd7eca3931cc46110

SHA1
152dee7397174d7e7f79c90651ca6cde9d72df19

SHA256
cf7194daefc6f4d626a9d221cf22877b81b54d0ab4a57e646943b2db9e626060

SHA512
c437c710957ec2e23b4029e76d039f27260f04102214c9d388662f3315e191ad420a9384f1cdc6ea6541167ce81aa8751398a1e2a089a83626b89bd0f6bd9acc

Download Submit
\Windows\system\rundll32.exe

Filesize
80KB

MD5
e52bf6271afa20cfd7eca3931cc46110

SHA1
152dee7397174d7e7f79c90651ca6cde9d72df19

SHA256
cf7194daefc6f4d626a9d221cf22877b81b54d0ab4a57e646943b2db9e626060

SHA512
c437c710957ec2e23b4029e76d039f27260f04102214c9d388662f3315e191ad420a9384f1cdc6ea6541167ce81aa8751398a1e2a089a83626b89bd0f6bd9acc

Download Submit
\Windows\system\rundll32.exe

Filesize
80KB

MD5
e52bf6271afa20cfd7eca3931cc46110

SHA1
152dee7397174d7e7f79c90651ca6cde9d72df19

SHA256
cf7194daefc6f4d626a9d221cf22877b81b54d0ab4a57e646943b2db9e626060

SHA512
c437c710957ec2e23b4029e76d039f27260f04102214c9d388662f3315e191ad420a9384f1cdc6ea6541167ce81aa8751398a1e2a089a83626b89bd0f6bd9acc

Download Submit
memory/292-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/292-11-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/292-19-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/292-20-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/620-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads