9a99b25e5c1aa1daa2a85663b3a0484270e25b5b5c37a858fe60846004ff0e69

Analysis

max time kernel
115s
max time network
121s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Size

2.7MB
MD5

72f82cf0435efedf72cfd61dcb042835
SHA1

4ff19af08851dac48c06a3945ad8dfa21ccd5d3b
SHA256

9a99b25e5c1aa1daa2a85663b3a0484270e25b5b5c37a858fe60846004ff0e69
SHA512

f9aac05bb8cd04e412ccebacff6c16355c2cb2c5a98ef8b6378e926e881d7f92c3925b60fae251756d0c6b275b595d55bb7cfe534a2e2b7bb1dc8746a73d0cb4

Score

7^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe

Loads dropped DLL 4 IoCs

pid	Process
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3224	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID\ = "{EBEB87A4-E151-4054-AB45-A6E094C5334B}"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner\ = "QMDispatch.QMLibrary.Inner"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\InprocHandler32\ = "ole32.dll"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\ProgID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32\ = "ole32.dll"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary.Inner"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner\CLSID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\InprocHandler32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\qmacro\\qdisp.dll"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\LocalServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\qmacro\\qdisp.dll"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SECURI~1.EXE"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary.Inner"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SECURI~1.EXE"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\qmacro\\qdisp.dll"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMFunction"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\ = "QMDispatch.QMFunction"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMFunction"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner\CLSID\ = "{EBEB87A5-E151-4054-AB45-A6E094C5334B}"	SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ulise.105297.4609.13077.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Modifies registry class
PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3224-0-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download