0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3

General

Target

0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Size

78KB
MD5

a18ef1557c74f5fa7a50a32f67c0e15d
SHA1

c23664f9712031f0600b034f5ee9cf52bf78d797
SHA256

0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3
SHA512

ad3442e56b3777d7136ed79805fd84058d20faad32a6274d5a2255b77921f3e40004e8026c6c6f7416511b4ce416e30ded25e529a2e6799028efebc261e88faf
SSDEEP

1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOe/R:GhfxHNIreQm+HiB/R

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
File opened for modification	C:\Windows\SysWOW64\¢«.exe	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
File created	C:\Windows\SysWOW64\¢«.exe	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
File created	C:\Windows\system\rundll32.exe	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367635"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367635"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
2332	rundll32.exe
2332	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28
PID 1732 wrote to memory of 2332	1732	0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe	28

C:\Users\Admin\AppData\Local\Temp\0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe
"C:\Users\Admin\AppData\Local\Temp\0ad918282c4ec42deec0ba3b7865a766668ca00e9ea6cde60ca01449761573b3.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
80KB

MD5
5055c27af01f34f95062a5377c850f2f

SHA1
697f1028961089edd4ec218103770f39d6a8fd8e

SHA256
e277557071b71820eb1dcbdd79af317f9962a765e5062f9f7c4c055a35ba0c83

SHA512
dd6054f623f7fa9d3fff3871aadccddc3a02e3c71e8f8675744125be19b53d7a1459c30ef28fe5e8a612ced7d876a959eafdc2144623fd93d79311c9ef862b47

Download Submit
\Windows\system\rundll32.exe

Filesize
77KB

MD5
9122a029d28f147c98d9e7d08ab6cb75

SHA1
a0fee9ac62a7e10415d3096f2b0c75bba1036959

SHA256
ed0015027eee610ebc27cc035a9d9c90c9147852ebacdd1f3f007e86a3d1ae96

SHA512
c6226988094b83e48db5ce3e2f38cc2fa594e610d796efd93733c86858b7390efd9ec73987073425ed1a21b098af8e49d8a4c9f169c0a593d006072d5c8ac005

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/1732-18-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/1732-17-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/1732-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/1732-22-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2332-19-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads