Analysis Overview
SHA256
a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4f
Threat Level: Shows suspicious behavior
The file a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:08
Reported
2024-11-13 17:10
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\¢«.exe | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad¢¬.exe | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Windows\system\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731517704" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "505" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731517704" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe
"C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe"
C:\Windows\system\rundll32.exe
C:\Windows\system\rundll32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.zigui.org | udp |
| HK | 103.251.237.123:80 | www.zigui.org | tcp |
Files
memory/392-0-0x0000000000400000-0x0000000000415000-memory.dmp
\Windows\system\rundll32.exe
| MD5 | e02d0e86a207232603172aead7387f45 |
| SHA1 | 4cab36575800cd925ec2176951e83ec9b0f0f337 |
| SHA256 | e29db7b4bcbd9b8ca8d2e7fb807f19c6eab1798c480825f14e4c6e4cefe59a29 |
| SHA512 | eefbd41376b75d613af240f424773b2362c9412abd0ebb80a928c73d4f11a1754c247c0cc2793d16c0a0c557286888a0ed8f1564f90b712cd0fefd3a6d8601bc |
memory/392-10-0x00000000002D0000-0x00000000002E5000-memory.dmp
memory/392-13-0x0000000000400000-0x0000000000415000-memory.dmp
memory/392-14-0x00000000002D0000-0x00000000002D6000-memory.dmp
memory/3012-15-0x0000000000400000-0x0000000000415000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:08
Reported
2024-11-13 17:10
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\¢«.exe | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| File created | C:\Windows\SysWOW64\notepad¢¬.exe | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\rundll32.exe | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Windows\system\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731517700" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSipv | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731517700" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" | C:\Windows\system\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "505" | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command | C:\Windows\system\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 540 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | C:\Windows\system\rundll32.exe |
| PID 540 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | C:\Windows\system\rundll32.exe |
| PID 540 wrote to memory of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe | C:\Windows\system\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe
"C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe"
C:\Windows\system\rundll32.exe
C:\Windows\system\rundll32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.zigui.org | udp |
| HK | 103.251.237.123:80 | www.zigui.org | tcp |
| US | 8.8.8.8:53 | 123.237.251.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/540-0-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Windows\System\rundll32.exe
| MD5 | e8664173cc9c33eba109d9b84de4bb54 |
| SHA1 | dc3e3eecc8452538fb0cd1efe962d11d8ba09fde |
| SHA256 | c329fa2185f1e1c304f3dd80aedee6c716ccf54e4e7c3dc3908c72c91fbcf5a0 |
| SHA512 | 41dd45d8c0f20ed97c871d9166a59b91451058a7dff1d13703a1f897ec8dc7dcd3b366b594ecfc077da717a795776cf95a8a546bc56dacbf31f88d44b367d3b4 |
memory/540-7-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1864-8-0x0000000000400000-0x0000000000415000-memory.dmp