9806e0da9d86f7496c41a2b6f53980df2fdb63427e119cb1ecfcd17829c80c4e

General

Target

4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Size

76KB
MD5

4ed46275bc3b3a2c22e0ee1717f5ff70
SHA1

5e74bc66a81a0710deb263c42f9e691e561a8efd
SHA256

9806e0da9d86f7496c41a2b6f53980df2fdb63427e119cb1ecfcd17829c80c4e
SHA512

3a6cbefc6fceaadd77d7401cf46c972fed4d95d2199f3caffd9fdcc577da3d3859b27b13c3059a84345de63ab58abf4fce327cd0284fc96ec64fbfa9f78391ac
SSDEEP

1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOsCE:GhfxHNIreQm+HitCE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2520	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
File created	C:\Windows\SysWOW64\¢«.exe	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
File created	C:\Windows\system\rundll32.exe	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1721529010"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1721529010"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
2520	rundll32.exe
2520	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30
PID 600 wrote to memory of 2520	600	4ed46275bc3b3a2c22e0ee1717f5ff70N.exe	30

C:\Users\Admin\AppData\Local\Temp\4ed46275bc3b3a2c22e0ee1717f5ff70N.exe
"C:\Users\Admin\AppData\Local\Temp\4ed46275bc3b3a2c22e0ee1717f5ff70N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
80KB

MD5
b0160bd3127bd8eea703c2039329f0c1

SHA1
fd2174db35a7aaf46b28977543dd30fe51dc356a

SHA256
c6a0bd211bf5e2a4085b04fbd148185d229add64d5789b7651a6056d22ba8d97

SHA512
370ce86771e9404ccfdffbf10143de5148c16e76cc071d6eed05acb54d6b4ea1d631de53d5c4b862be72a1cb79d6898531a4e3aa400a3cc228651427fce39d89

Download Submit
\Windows\system\rundll32.exe

Filesize
83KB

MD5
a2dbfccef5f304d6adbb2212a875421e

SHA1
f7c37510972de65482789bf8eaea0d08e163af96

SHA256
1b5d81c8670ee7eb7629e8040add8898305ad17af00fd889a866ddce8ef95fdd

SHA512
d25f2b3fc045fae2f2da74b727c1cd7cd36b2adc7e00e52a06b979d86a7ee43faf1d7a1dce20b0b63956998ebbd5b3788a3e27c22b1691a518341c66e60588de

Download Submit
memory/600-0-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/600-16-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/600-17-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/600-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download
memory/600-22-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2520-20-0x0000000000400000-0x0000000000415A00-memory.dmp

Filesize
86KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads