a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed

General

Target

a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Size

74KB
MD5

978576743f2a276a4135309d27eed78a
SHA1

99f5698a81bf0c8ad36d8a9be9e78bc7df232c8c
SHA256

a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed
SHA512

b64c01f8b474840f7bde048673af3300a0c745c618af8a5e48e29d4b169f165837aaa1a0c75053f3e723cc421f922923a49a47e0e2c800b9af40df9d6f28f4f2
SSDEEP

768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWOt:RshfSWHHNvoLqNwDDGw02eQmh0HjWOt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4396	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\¢«.exe	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
File opened for modification	C:\Windows\SysWOW64\¢«.exe	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
File created	C:\Windows\system\rundll32.exe	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1715494669"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1715494669"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4396	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
4396	rundll32.exe
4396	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4396	3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe	85
PID 3064 wrote to memory of 4396	3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe	85
PID 3064 wrote to memory of 4396	3064	a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe	85

C:\Users\Admin\AppData\Local\Temp\a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe
"C:\Users\Admin\AppData\Local\Temp\a32bfce426f88e24220482c7ec763c56b6b3b3ba2935e41286d8f8a234e896ed.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
78KB

MD5
a71dcc5101aea05c07ca3fd3c5253ded

SHA1
93204a1e528ca90733f846b4b2f2474d80a0ffc2

SHA256
dc5f40207b86b87e9126fe117f54c3da2a0b3bf7ebfabdafacdb257d8bb4b154

SHA512
e485b1a2c221bda57fa97142b5ea85b21a3eb3a02e0f96c51703efd4b6c02468df850e23b48cdd981fa692ce3f65cf5516b90e958de68b12a69051bfb51d110d

Download Submit
C:\Windows\System\rundll32.exe

Filesize
79KB

MD5
1b1156cbf432d2c63098defb1606ca9f

SHA1
568a62c0ae093a47b1d5b0807edce0582e02b008

SHA256
238eaba4341fb635df8ce23dbfbd80277873a0949f187c8c0031a186f5eef81f

SHA512
51aa3027fe8e1aa4feff1e66c51d2815ea1e2adfa8937bd2084cc71275da7b79710ad4af2ffb8c553ff7a15d2d0a0cde578d4ff1765692affd9a1587bdd06cb2

Download Submit
memory/3064-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/3064-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads