Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 11:29
Static task
static1
Behavioral task
behavioral1
Sample
0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe
Resource
win10v2004-20240426-en
General
-
Target
0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe
-
Size
74KB
-
MD5
f8ff948f5691c5708990e9d09d8b1569
-
SHA1
fc8023073cf8ab2167bef78e2a74b999e297e16f
-
SHA256
0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4
-
SHA512
c8bb5c8f26439246b53d159bf1cd3c0e51f673b593d29855bf256b4374b8610e92a4d64f18a061b36ad692bf67401e8d35b7eebd93351ec8e0fc6e531389e44a
-
SSDEEP
768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWO:RshfSWHHNvoLqNwDDGw02eQmh0HjWO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2240 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe File created C:\Windows\SysWOW64\¢«.exe 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe File created C:\Windows\system\rundll32.exe 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105375" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105375" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2240 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 2240 rundll32.exe 2240 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28 PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28 PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28 PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28 PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28 PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28 PID 2288 wrote to memory of 2240 2288 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe"C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5335b7f137403a901c16b114cb38acf90
SHA1355b5d4a2e1ac9bb4989f01bcc37bdb758c29f65
SHA25691439cd1ba28cddc639fd1f41899bb25f13c40235eb69623a500a72e0f68b785
SHA5120c4fd8c41bb4ebffdea051d8065de906679cc5b538f1197d1a68243ac4a9f79909bfe19339f22fbea6c2f3627fe388b0718a9a61317e3fb504a4bb70b4e9c3aa
-
Filesize
76KB
MD5dd4bb783e447d964044f2e90eadbe9e5
SHA1b8f5bce77409c32ceca8bf4fcc031d906c748405
SHA2569c390300492552cb421a5d7b2279fd67eca49c25f147061d3af679998ab447b4
SHA512fb71b6ebd6757d19bddf4a2d8117a8e692076093fc7e3dfe866c94e91c377676252e62b4a00a390cb345ddba7060dfaa82ef41ad959a39123b35c955f17763c4