Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe
Resource
win10v2004-20240611-en
General
-
Target
debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe
-
Size
75KB
-
MD5
c2672cc8a0c8768f6ea091e42f7090c3
-
SHA1
1f5c218fdc3a3361fa5d70d44aefc28ab1f52ec7
-
SHA256
debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07
-
SHA512
05c9f9c5ac5400a66da70e2b0921368e5a7bc4a2451480b7d26ab8748b8c558dc3b93a81fcf194fffa6f0a09b468d4024aa056ca1dd44a21bf47429db8cd4b14
-
SSDEEP
768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWO:RshfSWHHNvoLqNwDDGw02eQmh0HjWO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2832 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\notepad¢¬.exe debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe File opened for modification C:\Windows\SysWOW64\¢«.exe debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe File created C:\Windows\SysWOW64\¢«.exe debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe File created C:\Windows\system\rundll32.exe debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246601" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246601" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2832 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 2832 rundll32.exe 2832 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28 PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28 PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28 PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28 PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28 PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28 PID 2232 wrote to memory of 2832 2232 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe"C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD5d3ed63e83b90d972a8ecb094a0bc52e2
SHA1859645f509242477d96c5a55883081d0c7581824
SHA25647a3b04479e56bece397c54f17e0f074826dac3c87c12152499a507f9458b365
SHA5129a9362489e856ebb855fc32d6eb9164f4c9442f716d6d8bf0f67ff9b71848192880903b5111a9a2cdcc5d509412fc555d3a2452b5ac8adc27b78c0d61a22ceea
-
Filesize
80KB
MD5abf7f5e63c94118c62ae73c3f49a3c86
SHA1cf628e4b04ea812a5278f8aa8909879156883f44
SHA25608575ec182c665c9961b98db7cd18725f1a34bac08462ca47cc7f956134a0dd4
SHA5128955433a5dbd97453f38ccc03d2f973be3dbc91dd3ada684e4b9f7741961a41b22084be69b4215fdb02c5467ab15172a492e05ebec506f2e4edf909ebabea540