99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0

General

Target

99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Size

81KB
MD5

2db75a8265b2780013c32aa1d2c9d5b2
SHA1

fe6ab18ea9159a167969f1abcba3d546a470d822
SHA256

99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0
SHA512

297920e5a514f3d0972fd4d9e36de1b88a9b37d98966df32891cfc5be55d35674bd1338274a2633074cd823ff5c130db900d5ba4a8287d82f9026c78e973f4f9
SSDEEP

1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOn5PakC:GhfxHNIreQm+HiM5PakC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad¢¬.exe	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
File opened for modification	C:\Windows\SysWOW64\¢«.exe	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
File created	C:\Windows\SysWOW64\¢«.exe	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
File created	C:\Windows\system\rundll32.exe	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1714044111"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1714044111"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2344	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
2344	rundll32.exe
2344	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2344	1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe	91
PID 1244 wrote to memory of 2344	1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe	91
PID 1244 wrote to memory of 2344	1244	99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe	91

C:\Users\Admin\AppData\Local\Temp\99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe
"C:\Users\Admin\AppData\Local\Temp\99e7205e41d6f191e6ce862ad5e398b60f4c4aaeb7e2f70320e8cb6ab71cafb0.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
75KB

MD5
732a16c7d5d004ace08dda9c7bbb12c7

SHA1
6e36bc1c51e5d954b36d84c33275fd5fa23dc08a

SHA256
cff1f2e8a834abea0294f6c98dc030d0cd62608c4cd8ea1f6ba9e693ce4f7b0f

SHA512
f7355e2f8326d10fd4ab3f6df0a2a8af3e73475447c56a8c867c83e3c6ac799a9e318591fb7691bf573968335d255b3f9bd6dc871de825bdc183b4818f0875be

Download Submit
C:\Windows\System\rundll32.exe

Filesize
82KB

MD5
31b8c302c148134d49fc97360190e6f4

SHA1
83e51776b76918b61d780f20f25666276d52c2d1

SHA256
b407e4fd5b7f66ba3cf1bfe19edfac8b9075101d6dfde0af32b5ad70812f4dec

SHA512
994851f17a1babb556ef5beb0f6f5e144e37ed8457ca6c0eb5dfa34bc1345300b00d0fd6d92d93df8b6b1a11511678a0110ad1c62e6a80fbd05d45ab37d0d3b2

Download Submit
memory/1244-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/1244-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads