Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe
Resource
win10v2004-20240426-en
General
-
Target
b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe
-
Size
79KB
-
MD5
83c5ae72482d3aa72b5823112d32cbfc
-
SHA1
01a6734fa5d5670df0497381814734a0f286f558
-
SHA256
b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5
-
SHA512
ba72d4278b33a5c20525c5700771d079c2a4fa395a96a1bc7c8652cdc1a230731811eb71bd9ea591a2a691e7810539c270ac1e1d5e6880418e4dec7306e976e1
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOhEbGY:GhfxHNIreQm+Hi2EbGY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2184 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe File created C:\Windows\SysWOW64\notepad¢¬.exe b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe File opened for modification C:\Windows\SysWOW64\¢«.exe b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe File created C:\Windows\SysWOW64\¢«.exe b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe File created C:\Windows\system\rundll32.exe b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367376" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367376" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2184 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 2184 rundll32.exe 2184 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28 PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28 PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28 PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28 PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28 PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28 PID 2212 wrote to memory of 2184 2212 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe"C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD56ba3cf39be4af62f811912156223ea81
SHA1e147c0254960904fb54819211e9666a9f6ea8880
SHA256b0944f12b410b975c2e72679ff8a0861e7d4241e174329c1d4e963b61833a5ff
SHA5128f78ec2d67f391ea3cd8f0c000dadb05f694e0c77e9877f9b1c02359a06e2a18f75214aa448a65fa235b4447e01905631ca6c6fce3d178a474d3c57a5fe507e6
-
Filesize
79KB
MD5b846ce3e10670783e8c659359b562740
SHA1cff45bd289880ee180dbdd1c157e1a5274fcb831
SHA2566de25fe4b63c8bcb2e427159e756bd9740ab09c24fdb9fae142ad3f8d55fc389
SHA512b7e02a8dfc7bf76c1b84fe969fd6140e21d14092a723e2559ab5e350d0d5440ec807e6d9b90908196a70059ac6c23514e611f923ce81b819316b7bd4ac164f51