45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6

General

Target

45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Size

84KB
MD5

498ddf09a13b0c0633399c4361d31291
SHA1

05c2cdedf6dc06267e21235f2a43ac4be3d7ae77
SHA256

45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6
SHA512

73d43ccdcda28b4e30dffb0f1ac24aac811fe3e9fabb0f04ce7a43b7189c31fa71f4d5471e1a097ff6f6cebb434845167bad12695a49ec83b38c1fc12ff8b520
SSDEEP

1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOqf0hj2O/P:GhfxHNIreQm+HiZf0hj2O/P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad¢¬.exe	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
File opened for modification	C:\Windows\SysWOW64\¢«.exe	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
File created	C:\Windows\SysWOW64\¢«.exe	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
File created	C:\Windows\system\rundll32.exe	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716778357"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716778357"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
2988	rundll32.exe
2988	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2988	3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe	84
PID 3076 wrote to memory of 2988	3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe	84
PID 3076 wrote to memory of 2988	3076	45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe	84

C:\Users\Admin\AppData\Local\Temp\45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe
"C:\Users\Admin\AppData\Local\Temp\45317b68ea8fab22336de147359519f3a7c972550002d05e3ab9169ea35586f6.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
83KB

MD5
9b24dab3b936ab52c1c4a8d560a708df

SHA1
cfdc7384e668989c55fdc980990164daa1766912

SHA256
da3508a393838aa2d0464a90041fd35e8165464c2a1e15e0c6dab7336cbfce53

SHA512
5684f49b5ac6bd7431035a4affe549e3e163dc80316bfe0ccfb1f2c35bda6e897a865eb406f350487feb7003f554581407b7e2cfd90327e0e11b8d5c448cbe8b

Download Submit
C:\Windows\System\rundll32.exe

Filesize
79KB

MD5
2b96d96553e15a70025ba6f23e3fc83d

SHA1
7596b44d9becebce338e7d8246f6db375711e499

SHA256
e37eeff9ff3837153981ff6208bb7e38dcf4158f3ad61ab2920d1e4c63b8c40e

SHA512
f386e5e69f7d9357f8a58eda90eaa2da145474721c952902efe71dfead75f46553a9c95fad083fce78accff89d9e0a5ee4f98a34c5cd5a1e0887204acbe70f25

Download Submit
memory/3076-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/3076-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads