Analysis Overview
SHA256
8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d
Threat Level: Shows suspicious behavior
The file 8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Modifies system executable filetype association
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:24
Reported
2024-11-10 01:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\¢«.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File created | C:\Windows\SysWOW64\¢«.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\notepad¢¬.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad¢¬.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File created | C:\Windows\system\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731201860" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731201860" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3908 wrote to memory of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | C:\Windows\system\rundll32.exe |
| PID 3908 wrote to memory of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | C:\Windows\system\rundll32.exe |
| PID 3908 wrote to memory of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | C:\Windows\system\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe
"C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe"
C:\Windows\system\rundll32.exe
C:\Windows\system\rundll32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.zigui.org | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| HK | 103.251.237.123:80 | www.zigui.org | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.237.251.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3908-0-0x0000000000400000-0x0000000000415A00-memory.dmp
C:\Windows\SysWOW64\notepad¢¬.exe
| MD5 | 1f137999f26f9f4106c348d85b331085 |
| SHA1 | e4b1085033204e610d07aa61cfcb34aa00ac4c5c |
| SHA256 | e6a4ff63ffca1eebefde1becbef4ea7e346b250a4f95c3a4dd3c9915bb6f92d8 |
| SHA512 | f6fabee492d15a853281e2513b7475b589207751a0e337e1659f3f1df8019219f012288f50e6085eb8a655dcbd1e91048023176627ccfbc25ca7e9800ad33938 |
C:\Windows\System\rundll32.exe
| MD5 | 577f9239ab95bb65a8b46d3c76ae74e3 |
| SHA1 | ee1980f2039840eab0a57cb0cf497c0db99f2b1a |
| SHA256 | 55c1f7e0a76d5cbb79ae6d04dd8cd0deba25c1d558966efbe89da2b42677626c |
| SHA512 | e264cfcc2bc962a31dfd16982708f1989d19ae302e17bc40591687f4d1c968fe127ae074adb5486ce7c18f0dd9c63039b830f7e47a8e97f3671955dc0b00d570 |
memory/3908-13-0x0000000000400000-0x0000000000415A00-memory.dmp
memory/1636-14-0x0000000000400000-0x0000000000415A00-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:24
Reported
2024-11-10 01:26
Platform
win7-20240903-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\¢«.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File created | C:\Windows\SysWOW64\¢«.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\notepad¢¬.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad¢¬.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| File opened for modification | C:\Windows\system\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Windows\system\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731201861" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731201861" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe
"C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe"
C:\Windows\system\rundll32.exe
C:\Windows\system\rundll32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.zigui.org | udp |
| HK | 103.251.237.123:80 | www.zigui.org | tcp |
Files
memory/1812-0-0x0000000000400000-0x0000000000415A00-memory.dmp
C:\Windows\SysWOW64\notepad¢¬.exe
| MD5 | 35d232fb56785272aae6a0a0879784ba |
| SHA1 | 710a78346c4ceb5c703a2d245a53392f8a1b7982 |
| SHA256 | a25e61ad853a4dd72f3c264576c9ddab6f6ff68b677f6fa1e2369389100ee1bf |
| SHA512 | 280a9b01b3e30ce2b9260a1b5e7726f34e736a46b841768034474d8f43755a0ce289c513ebedc65b9f0f1e2f635dc0d40025f408bee343f8a99182026420b494 |
\Windows\system\rundll32.exe
| MD5 | 9a897e548be4d89468effd151062bbba |
| SHA1 | b4d6641ade55e4f3d2ddb8c86eec1d1a0083aa8b |
| SHA256 | ba58b65ce44c1e1f71674b58cc3f63e2d0120b2bd3f5db532bb828fd96d01998 |
| SHA512 | 1fd67ee39ef0a34cbcfcc759072017e920fa7c4e7aee663a34651ad9c44cff9003e758035c1049421e98b1116656133e19df754b5a3fd771f8d9a2da558a891e |
memory/1812-11-0x0000000000270000-0x0000000000286000-memory.dmp
memory/1812-20-0x0000000000270000-0x0000000000272000-memory.dmp
memory/1812-19-0x0000000000400000-0x0000000000415A00-memory.dmp
memory/2484-21-0x0000000000400000-0x0000000000415A00-memory.dmp