Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 04:03
Static task
static1
Behavioral task
behavioral1
Sample
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe
Resource
win10v2004-20240426-en
General
-
Target
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe
-
Size
79KB
-
MD5
6fd16bfbd0390ea031dd5ba8508efc14
-
SHA1
6e0d26250ba565e84a830f0e1042aad466864f16
-
SHA256
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45
-
SHA512
01b822aebfb2fe90a1e944df6c40cfdd75c1d252d92aa5bc3b62a08262446c4f6b1aace06232fdffdd850ba3292db88049e7cb2fd4ce6cb212e1be4968e2450d
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOZG7No:GhfxHNIreQm+HiqG7No
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 1616 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exepid process 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exerundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe -
Drops file in System32 directory 4 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exedescription ioc process File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe File opened for modification C:\Windows\SysWOW64\¢«.exe 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe File created C:\Windows\SysWOW64\¢«.exe 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe -
Drops file in Windows directory 2 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exedescription ioc process File opened for modification C:\Windows\system\rundll32.exe 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe File created C:\Windows\system\rundll32.exe 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe -
Modifies registry class 15 IoCs
Processes:
rundll32.exe080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716523432" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716523432" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exepid process 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1616 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exerundll32.exepid process 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe 1616 rundll32.exe 1616 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exedescription pid process target process PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe PID 2028 wrote to memory of 1616 2028 080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe"C:\Users\Admin\AppData\Local\Temp\080160dd85cd01890dd29e96706a2f49ca3b357e8f7982979276bf49a3c93a45.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\notepad¢¬.exeFilesize
77KB
MD57f44595ee1b39eb062b267ed56a568d7
SHA1d85a6d0b50809b3d20b3c4de548799804c716918
SHA25672a566cfeba7a7b092c7f25ca5de046929e46faf1fa76f3fb897ac4176e5f430
SHA512020037a465d0d640cd86692acf7b859e92ff394302ddef6437e08cd3ffd8acfdbe63ac075bdd55b48031c4b9e5f8da332bc05184005b3968e00560beb23949ff
-
\Windows\system\rundll32.exeFilesize
80KB
MD5e69349495cad6be5ac0f7c874c6a8c7e
SHA1c8d7923c68406854240990de4c6dd7a47d616dd2
SHA256ca6e4117680f9e6bbeef0e6862890c436afa10dba19562b7fa520d75c08e145b
SHA512ed1c57cf3f724b6d7b20d87a71737120ff3229c8dfcc42b341a81c00b7bc0d18811213a02a1422b4e508fcd1d053fbf0cc7a5740289cde26f872d6befa94a527
-
memory/1616-19-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/2028-0-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/2028-17-0x00000000003A0000-0x00000000003B6000-memory.dmpFilesize
88KB
-
memory/2028-16-0x00000000003A0000-0x00000000003B6000-memory.dmpFilesize
88KB
-
memory/2028-21-0x0000000000400000-0x0000000000415A00-memory.dmpFilesize
86KB
-
memory/2028-22-0x00000000003A0000-0x00000000003A2000-memory.dmpFilesize
8KB