2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74

General

Target

2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Size

74KB
MD5

4771cffe19e2018f976be1065d387922
SHA1

81dfb0ca6db479819dbf4bd09245489adc51053d
SHA256

2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74
SHA512

78250c723a4df089b2d9789aa33c38d6d59f483ad84cfd46633878f337d2bc479eea0e4096a1c0fd5f4474e5dba9a2eb2f9d1ebf5b92d22501f668bfe08b57fd
SSDEEP

768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWOSa:RshfSWHHNvoLqNwDDGw02eQmh0HjWOSa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
File created	C:\Windows\SysWOW64\¢«.exe	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\rundll32.exe	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
File opened for modification	C:\Windows\system\rundll32.exe	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1697265844"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1697265844"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
2632	rundll32.exe
2632	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29
PID 2204 wrote to memory of 2632	2204	2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe	29

C:\Users\Admin\AppData\Local\Temp\2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe
"C:\Users\Admin\AppData\Local\Temp\2790c68a9f9158ada1db2a2640c195e0b7a4df31a0f3cced8f7420bbc0ba2c74.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
74KB

MD5
91ae4ec3059f806cf2c8916c0691511c

SHA1
e5711bbd5c61d698d6f70c20311e55d212cff276

SHA256
1033e6c6b8be1511b84c4243065ea74d90912a6a5cd62a83a18904d8ec40009d

SHA512
c3d66a2dd19c95b3543b99be9eec88c0b534d8702e8cc6eb52c11ae229a2825198ad2457c31be88974f723d5377c093035a6f92e7e8ed8b3cd7cda61d38c9885

Download Submit
C:\Windows\system\rundll32.exe

Filesize
81KB

MD5
42100762227b1180e2b45796ebb4728a

SHA1
7a0af6ae3bbaa3aa94cf03d60849c6ddee7472e1

SHA256
35eeea253d0632349941e0ea98a0df28a8eafe89266920b399b553a3fa2a0f5f

SHA512
83b5882bacabbdecec550a23970800b27f6b259dfa07a84e6793707acfcacb1a1b6c98e6704acea73b8d548c6b4a880d989f7a57530b5a6a4026b781cb070dd1

Download Submit
C:\Windows\system\rundll32.exe

Filesize
81KB

MD5
42100762227b1180e2b45796ebb4728a

SHA1
7a0af6ae3bbaa3aa94cf03d60849c6ddee7472e1

SHA256
35eeea253d0632349941e0ea98a0df28a8eafe89266920b399b553a3fa2a0f5f

SHA512
83b5882bacabbdecec550a23970800b27f6b259dfa07a84e6793707acfcacb1a1b6c98e6704acea73b8d548c6b4a880d989f7a57530b5a6a4026b781cb070dd1

Download Submit
\Windows\system\rundll32.exe

Filesize
81KB

MD5
42100762227b1180e2b45796ebb4728a

SHA1
7a0af6ae3bbaa3aa94cf03d60849c6ddee7472e1

SHA256
35eeea253d0632349941e0ea98a0df28a8eafe89266920b399b553a3fa2a0f5f

SHA512
83b5882bacabbdecec550a23970800b27f6b259dfa07a84e6793707acfcacb1a1b6c98e6704acea73b8d548c6b4a880d989f7a57530b5a6a4026b781cb070dd1

Download Submit
\Windows\system\rundll32.exe

Filesize
81KB

MD5
42100762227b1180e2b45796ebb4728a

SHA1
7a0af6ae3bbaa3aa94cf03d60849c6ddee7472e1

SHA256
35eeea253d0632349941e0ea98a0df28a8eafe89266920b399b553a3fa2a0f5f

SHA512
83b5882bacabbdecec550a23970800b27f6b259dfa07a84e6793707acfcacb1a1b6c98e6704acea73b8d548c6b4a880d989f7a57530b5a6a4026b781cb070dd1

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/2204-12-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2204-19-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/2204-20-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2632-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads