Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe
Resource
win10v2004-20240508-en
General
-
Target
c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe
-
Size
86KB
-
MD5
984a8b4ee6f5425191eeda95b1df5171
-
SHA1
bc86ab126d2e4bde6844cff5a7a03dcccec09be8
-
SHA256
c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68
-
SHA512
b988b89aa9d542b9457941f2d4da3a7e457e5ec89eaecebc4a09cd0075ac92a6390d145cc17d7751c4832f2fe13dbf2640b1f7fff18497e5673c9de76f1f104e
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOVKbvVQFv2B9d:GhfxHNIreQm+HiuKbvVQFv2B9d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2492 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\notepad¢¬.exe c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe File opened for modification C:\Windows\SysWOW64\¢«.exe c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe File created C:\Windows\SysWOW64\¢«.exe c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe File created C:\Windows\system\rundll32.exe c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716319086" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716319086" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2492 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 2492 rundll32.exe 2492 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28 PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28 PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28 PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28 PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28 PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28 PID 1280 wrote to memory of 2492 1280 c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe"C:\Users\Admin\AppData\Local\Temp\c1b6d7387401e6e4646d9f13fa2b89c04e1871461f206335d37408fa21378a68.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD536b5dfbbdbde459a5e066ae0f0ee820d
SHA1ef2dd2f980389ef03c47470cdd11b8b10f96a8c8
SHA2563542608f44aaef00dc6f42b1d8b9f239554317bdd47a73b6aae235e5375f93af
SHA512b29459ec1d1a84df3ffb86b40b527890f958c3d1429db45114f70b6171978f35d8c2c2b21c09a8fae5d6bacb03f57e2fa526da4c43a4f7f4d42ac49b42d6462a
-
Filesize
73KB
MD5a553c813d4d021c9f7853985a0b0eb92
SHA1f0a22bb6af386a15747b8418c269ec55cbf3e6a3
SHA256a132b776ef84775e242136254f57901fd0021b25bd1e0809e0be1454a4908f99
SHA51222e11765fc3a355ae163a2c2442705b700c45e3742bb527f9c466d02b7dc7a59837d8bc44c12916c9397633b1235056829ba4c8ec2f5ea781dfefbef8b2812d9