Analysis
-
max time kernel
149s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe
Resource
win10v2004-20240508-en
General
-
Target
54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe
-
Size
76KB
-
MD5
eca85181731ad667480575c6dd398c62
-
SHA1
00748dbf4300d1df5a1f492c2e8ba7c281bfa276
-
SHA256
54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667
-
SHA512
6587c4f417f35f950d0ebea05811b92307b4d54acb833bb8133263cc9a3da187466a632f6f51f91c576a5e0c95a50846479fab69059699cd44e15b5b95e5fbda
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOH7r:GhfxHNIreQm+HiS7r
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 364 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe File created C:\Windows\SysWOW64\¢«.exe 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe File created C:\Windows\system\rundll32.exe 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105382" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105382" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 364 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 364 rundll32.exe 364 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2216 wrote to memory of 364 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 85 PID 2216 wrote to memory of 364 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 85 PID 2216 wrote to memory of 364 2216 54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe"C:\Users\Admin\AppData\Local\Temp\54eead1de8bd27ec7af94eb47732a0a14f00122c592e25f4774b694c49f62667.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5a5da74734020f0ec6dcd3222d6ec7358
SHA1128477a0f2080738cf4a23c5ac846b1952c29174
SHA256a0d0cc13e9672703008ae8f50a1f1f08dbc02a5ba1b03ceb3222f8bf4d500912
SHA512a268b17942d9dce97f97f6aa92de81aefbd52350d3a47981fb889b8672cf23565987a29fda45611e00698961cab75d8a787859662ce866ae9f13b19a7337589f
-
Filesize
73KB
MD56ce9ed5aba586c099ebec3d94fc72cdc
SHA119990bc3d470cc43ba6fad0f4c76fb0c1cdd9f77
SHA25626586035b57c9dc0ad48d94a0a860de6fdfc93331bb000cd26f288ad25e3c6b1
SHA5123e3d57df3646bf362681a165086a37ab16d5d4fa98e5d8e0ad24fc99dfda617ea72ac392b722cf43a472671758b66ac7410e42e6d85da7adb6dec065d8f69779