18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1

General

Target

18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Size

1.1MB
MD5

cf16ad9f901ee7a580b126df8048e0f7
SHA1

f45b8041e0a61f1e16264f00c4c85d29c4d47cca
SHA256

18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1
SHA512

83292d22056028eeecae544f64f123074846a9c30173a4ed0b22bd5a5dcda93248a79984a32f4aa76c4dfffec5e5c96857b3c88a357639348e7b7ca80852109c
SSDEEP

24576:SAkS+8qyb7h9RHyevHQfsXQazAnMMMMMMww5x:SM57h9RH/HUQQa+MMMMMMB

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP 压缩文件"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR 恢复卷"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR 压缩文件"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

pid process

2928 18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

pid	process
2928	18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe

C:\Users\Admin\AppData\Local\Temp\18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe
"C:\Users\Admin\AppData\Local\Temp\18ffb028c4ad8495c7220dfcd8b93ee174ef9c45bbbbd1ec7dcffda63069f1f1.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-0-0x0000000000CB0000-0x0000000000E37E00-memory.dmp

Filesize
1.5MB

Download
memory/2928-8-0x0000000000CB0000-0x0000000000E37E00-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads