Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe
Resource
win10v2004-20240426-en
General
-
Target
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe
-
Size
82KB
-
MD5
65fa62a3380c2ce042a21132f8ca8ba3
-
SHA1
09aa217ab7d85e2e72784a87b7b674556f3005d1
-
SHA256
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923
-
SHA512
7d9e886de557dc19c9d70961fb094ad8e1ee035dce57d3e722a89da01091e8c2bc26fe71a9009081a26c2b1a5f5e49c929c3bb7212ed00af2e7e1cc19d26ffe3
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWO4BKyRTL:GhfxHNIreQm+HiHBKyRTL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 4204 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
Processes:
rundll32.exebc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe -
Drops file in System32 directory 4 IoCs
Processes:
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exedescription ioc process File opened for modification C:\Windows\SysWOW64\¢«.exe bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe File created C:\Windows\SysWOW64\¢«.exe bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe File created C:\Windows\SysWOW64\notepad¢¬.exe bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe -
Drops file in Windows directory 2 IoCs
Processes:
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exedescription ioc process File opened for modification C:\Windows\system\rundll32.exe bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe File created C:\Windows\system\rundll32.exe bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe -
Modifies registry class 15 IoCs
Processes:
rundll32.exebc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716517980" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716517980" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exepid process 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 4204 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exerundll32.exepid process 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe 4204 rundll32.exe 4204 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exedescription pid process target process PID 740 wrote to memory of 4204 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe rundll32.exe PID 740 wrote to memory of 4204 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe rundll32.exe PID 740 wrote to memory of 4204 740 bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe"C:\Users\Admin\AppData\Local\Temp\bc80481e94a11a1f646b77948158a7407338fb1485ecffbeae32a1084d20f923.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\notepad¢¬.exeFilesize
77KB
MD5495e7e1bd32dfd8286509864437f5b38
SHA1f2e612485d62f0295e649aad5375ea6dd05b98ed
SHA2567f64fc521808c574d6395eda8b228f6168f9bbd56c42aca2bc457696b1488c74
SHA51275d27b6c39b40726d996b57a68fa40c064893596372875d5af3cf70c0d6e3603b8251dd9ccd85d81d70abbfea014dcebc7a4fc11d68d110181a30f6fb3091cb5
-
C:\Windows\system\rundll32.exeFilesize
74KB
MD5075c6c0e0c66c62934d98ceb528295ea
SHA1fb61bcd15aabaf151074d1302f79b12097308958
SHA256f8aa534b66cba7ec0c16d9178aac0d6921eadce4bbcca392d075470371994c9b
SHA51229f64271f98d6d212d3fd5c0886bef3ff0e0abdc0bd7af1fb12bbfa5a91c51125c1083810d990b0ee5a639bb22b38f370b4b7c66d13488056c7afa417f7d31db
-
memory/740-0-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/740-14-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/4204-13-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB