Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe
Resource
win10v2004-20240508-en
General
-
Target
afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe
-
Size
86KB
-
MD5
32c1d5f7d725aadb8f435d8f47aed08c
-
SHA1
4bfa5783f61a998c52b6435e97ea5ccc7740a3f9
-
SHA256
afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1
-
SHA512
02c1766baa4dc877efa5397138cab996bb0866037dc36060d3697601c717faeab8f386bef00ff8abd1892e5a310f603eabbf79ee99ae7d5c9fa7872aec201664
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOOE0SIIeokYMM:GhfxHNIreQm+HiFE0SIIeokYMM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4192 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\notepad¢¬.exe afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe File opened for modification C:\Windows\SysWOW64\¢«.exe afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe File created C:\Windows\SysWOW64\¢«.exe afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe File created C:\Windows\system\rundll32.exe afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717918476" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717918476" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4192 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 4192 rundll32.exe 4192 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4192 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 92 PID 4504 wrote to memory of 4192 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 92 PID 4504 wrote to memory of 4192 4504 afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe"C:\Users\Admin\AppData\Local\Temp\afc22d19136f9db671708293e114ab529bde5a3e0c3a5dce7e5e904d5ad3c8d1.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:81⤵PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD57b1174853b33e1bfa2685549e5cc9709
SHA1201ef34017ce7e11447c2d049d264ccc6affca97
SHA256534a602e65f9587d6e0c781cea915a39444e28e14d5e626c43f3152d2c2a7777
SHA512bfc4a2ff12ed5b83b8dc0101666686b78e68da1c928975d3836203bbfbf4b06cd0712c7dfe38ae5d2484de4001e873334767d659ad4ab5eb0f0d0de00e842c8c
-
Filesize
73KB
MD50ac150839f3ada246b57b0b9f0905226
SHA116465d767f2adb22ec4c02c4096f09fd9583ce44
SHA256820e55052079ecaae51e0a45595ab397f62f6a5f852b4030627a1a69f184d0ab
SHA5129327e93edb33623f867ee78cb43f8839e49dfb54e164f36f5f601eac66bcd3fcda9b51544479d92977f5ec9e609518de4f8d103c836a64d5261372688180f9c3