Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe
Resource
win10v2004-20240426-en
General
-
Target
b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe
-
Size
79KB
-
MD5
7fcf79e3698a9029027ef6a73d2a62bb
-
SHA1
72dea85fca455f8d3a6d7bb449a32bc5ef5bcd7c
-
SHA256
b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3
-
SHA512
5fc8f888e8a6b7e0d5bf77126cb3f1171c21bd332a7ee8677c6d42bf38469b27a015190d605587c535a57948f7f7304445cd2df2517c7e224139895cfa845f4f
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOW2gg0:GhfxHNIreQm+Hih2gg0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1280 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe File created C:\Windows\SysWOW64\¢«.exe b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe File created C:\Windows\SysWOW64\notepad¢¬.exe b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe File created C:\Windows\system\rundll32.exe b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716995502" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716995502" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 1280 rundll32.exe 1280 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1280 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 85 PID 1412 wrote to memory of 1280 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 85 PID 1412 wrote to memory of 1280 1412 b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe"C:\Users\Admin\AppData\Local\Temp\b7afb20f3628a9e1670afd0cf423d39e1c2947d8b1872e50521fbdcd6cb718b3.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5dcbebb2e811ae86cbfd669c63a3d2d57
SHA1961f3a853fdd2a7053399e74163c3697a6d31b33
SHA256f29b608c6c6b0a0bee415c0af071104ba1f7b672cda9852a0a75b2c951b5ed1d
SHA5128b753ce64b553c3966d8e4f15a7002612737da47a9d74022693b10894e88811ad379dc361a4c7ed13a198f5b96e660e90b496a1f277161951aacc72f722f5639
-
Filesize
74KB
MD55f5cf48876551ffaff525622c9e10988
SHA1cd61d0d425dda3ba3fc3b3f811abcc11e85b7291
SHA25606e09d55073abff03676368630a57a72bb093f064b4ceed4a0e4f6f369eae959
SHA5122df2a68fded477bb23ea082f043e48c565ae20c5f3fc588859e2bb4800d5949b0cac94f39caa8fee5644eed03bbf0f1ab3a239f723e748738aaabc071ff9748c