Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe
Resource
win10v2004-20240419-en
General
-
Target
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe
-
Size
84KB
-
MD5
965696ab0556f35508631bd45dc75e76
-
SHA1
c44973344f8aa94228cc5623bd21faa20d42b2bb
-
SHA256
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226
-
SHA512
71ebf8d8c391630f7fe1d6673dfe046e1fb1a23392c72ffa4776256cb9d0ea8232cda7cb897e72b82e1caae2ebc470533213e1c5a23e1bac1284eb707111625d
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOJAfYs:GhfxHNIreQm+HiyAfYs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 1972 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exepid process 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exedescription ioc process File created C:\Windows\SysWOW64\¢«.exe 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe File opened for modification C:\Windows\SysWOW64\¢«.exe 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe -
Drops file in Windows directory 2 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exedescription ioc process File opened for modification C:\Windows\system\rundll32.exe 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe File created C:\Windows\system\rundll32.exe 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe -
Modifies registry class 15 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1714256331" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1714256331" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exepid process 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1972 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exerundll32.exepid process 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe 1972 rundll32.exe 1972 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exedescription pid process target process PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe PID 1196 wrote to memory of 1972 1196 0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe"C:\Users\Admin\AppData\Local\Temp\0dcdb9db02b4e2e9982c7565ed9217a1b8b13dd49aaf2ec47bb824ad1f68c226.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\notepad¢¬.exeFilesize
82KB
MD52ff6b60e04b1448f25b5f3a83eab4afb
SHA1b6cd2d8f0c7d07303a2a1f96c3ad168cfa071b29
SHA256d4ff5318df4e288ff9c71c689231ae30fc8643a87a979b2aaa653112bd17b7bf
SHA51219026d5d243f5aed87c3247a153d5effbe78d67b66e45ba873c8702e4dcfd6b209a8562af289cd3dce381df9dabcdd8779b61df9b2c651a2e7ecdd0a3560fc99
-
\Windows\system\rundll32.exeFilesize
77KB
MD505b547b18267b7c5f25ab9c9c7b58271
SHA1bd41b168404f039a997b203ea46b4ec4f924a272
SHA25616209409ae9b2d6e78b8ae7160dc576a721f95bbac89feef074cb9203866654b
SHA512d5aea5e8df15e98dbf2d27590a4d28bc790364568829655b2b2a0fabd7c30a7069799d7201eb4bdd97130d0a5880871640ffbb9d3ff886ba61cceb3ee740801a
-
memory/1196-0-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/1196-11-0x0000000000240000-0x0000000000256000-memory.dmpFilesize
88KB
-
memory/1196-18-0x0000000000240000-0x0000000000256000-memory.dmpFilesize
88KB
-
memory/1196-20-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/1196-21-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB