Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
25-09-2020 23:09
General
-
Target
sorttable.js.download.js
-
Size
6KB
-
MD5
5df8ca6561930c664aadfcd9173f9a6f
-
SHA1
9025e4033e1a824cad7f13eddb3b5a7dfe54c3c2
-
SHA256
bc002c287bb05794c29ea723082e03f0508231e6f47c0a0050b7ab80dd1add59
-
SHA512
9aef08446911246e219415a51252ab2361a6c560e22adc49590ea812995b3bf9d02c7a9fa386ab270500a0a55af2e2d116640f84b51a4549ee8497764eed81a6
Score
10/10
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 41 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Modifies service 2 TTPs 149 IoCs
-
Drops file in Program Files directory 1684 IoCs
-
Drops file in Windows directory 14 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 7 IoCs
-
Modifies data under HKEY_USERS 56 IoCs
-
Modifies registry class 5369 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 1342 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 83 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sorttable.js.download.js1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Program Files\Windows Sidebar\sidebar\" -ad -an -ai#7zMap1680:92:7zEvent45471⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\mstsc.exe"C:\Windows\system32\mstsc.exe"1⤵
- Enumerates connected drives
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5581⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" -arp:uninstall2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\program files (x86)\common files\adobe air\versions\1.0\adobe air updater.exe"C:\program files (x86)\common files\adobe air\versions\1.0\adobe air updater.exe" -stdio \\.\pipe\AIR_1072_0 -uninstall3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies service
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 89C2DE05B2A8A7F38581DC20278CE4AD2⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSIC92F.tmp"C:\Windows\Installer\MSIC92F.tmp" C:\Program Files\Java\jre7\;C;32⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "000000000000054C" "00000000000003A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files\Mozilla Firefox\uninstall\helper.exe"C:\Program Files\Mozilla Firefox\uninstall\helper.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe"C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\Mozilla Firefox\uninstall\3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies service
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"4⤵
- Loads dropped DLL
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" unregister-task 308046B0AF4A39CB4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe"C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe" /S4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe" /S _?=C:\Program Files (x86)\Mozilla Maintenance Service\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" uninstall6⤵
-
C:\Program Files\VideoLAN\VLC\uninstall.exe"C:\Program Files\VideoLAN\VLC\uninstall.exe"1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\VideoLAN\VLC\2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u "C:\Program Files\VideoLAN\VLC\axvlc.dll"3⤵
-
C:\Windows\system32\regsvr32.exe/s /u "C:\Program Files\VideoLAN\VLC\axvlc.dll"4⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-uninstall.log
-
C:\Program Files\Mozilla Firefox\AccessibleHandler.dll
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe
-
C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe
-
C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe
-
C:\Windows\Installer\MSIAE5D.tmp
-
C:\Windows\Installer\MSIC8EF.tmp
-
C:\Windows\Installer\MSIC92F.tmp
-
C:\Windows\Installer\MSICBFD.tmp
-
\Program Files\Java\jre7\bin\deploy.dll
-
\Program Files\Java\jre7\bin\installer.dll
-
\Program Files\Java\jre7\bin\installer.dll
-
\Program Files\Java\jre7\bin\installer.dll
-
\Program Files\Java\jre7\bin\installer.dll
-
\Program Files\Java\jre7\bin\wsdetect.dll
-
\Program Files\Mozilla Firefox\AccessibleHandler.dll
-
\Program Files\Mozilla Firefox\uninstall\uninstaller.exe
-
\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\LangDLL.dll
-
\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\nsDialogs.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ApplicationID.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\Banner.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\BitsUtils.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\CityHash.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\InstallOptions.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\InstallOptions.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ServicesHelper.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\ShellLink.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsiF9F9.tmp\nsExec.dll
-
\Users\Admin\AppData\Local\Temp\nsoF893.tmp\CityHash.dll
-
\Users\Admin\AppData\Local\Temp\nsoF893.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsoF893.tmp\UAC.dll
-
\Users\Admin\AppData\Local\Temp\nstC80.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
-
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
-
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe
-
\Windows\Installer\MSIAE5D.tmp
-
\Windows\Installer\MSIC8EF.tmp
-
\Windows\Installer\MSIC92F.tmp
-
\Windows\Installer\MSICBFD.tmp
-
memory/556-89-0x0000000000000000-mapping.dmp
-
memory/832-160-0x0000000000000000-mapping.dmp
-
memory/880-137-0x0000000000000000-mapping.dmp
-
memory/948-159-0x0000000000000000-mapping.dmp
-
memory/1060-155-0x0000000000000000-mapping.dmp
-
memory/1068-150-0x0000000000000000-mapping.dmp
-
memory/1072-10-0x00000000074D7000-0x00000000074DB000-memory.dmpFilesize
16KB
-
memory/1072-9-0x00000000074B9000-0x00000000074BD000-memory.dmpFilesize
16KB
-
memory/1072-12-0x00000000074EF000-0x00000000074F3000-memory.dmpFilesize
16KB
-
memory/1072-11-0x00000000074E2000-0x00000000074E6000-memory.dmpFilesize
16KB
-
memory/1072-1-0x0000000000000000-mapping.dmp
-
memory/1072-13-0x0000000007532000-0x0000000007536000-memory.dmpFilesize
16KB
-
memory/1072-8-0x000000000723C000-0x0000000007240000-memory.dmpFilesize
16KB
-
memory/1096-46-0x0000000000000000-mapping.dmp
-
memory/1116-142-0x0000000003CA0000-0x0000000003CA1000-memory.dmpFilesize
4KB
-
memory/1116-141-0x0000000003CA0000-0x0000000003CA1000-memory.dmpFilesize
4KB
-
memory/1116-152-0x0000000002C20000-0x0000000002C24000-memory.dmpFilesize
16KB
-
memory/1116-153-0x0000000002820000-0x0000000002824000-memory.dmpFilesize
16KB
-
memory/1116-116-0x0000000002460000-0x0000000002561000-memory.dmpFilesize
1.0MB
-
memory/1116-111-0x0000000000000000-mapping.dmp
-
memory/1316-107-0x0000000000000000-mapping.dmp
-
memory/1456-0-0x00000000025C0000-0x00000000025C4000-memory.dmpFilesize
16KB
-
memory/1540-134-0x0000000000000000-mapping.dmp
-
memory/1660-67-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-80-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-64-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-63-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-71-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-66-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-62-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-61-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-60-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-75-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-59-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-58-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-57-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-56-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-65-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-54-0x0000000000000000-mapping.dmp
-
memory/1660-76-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-74-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-77-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-78-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-79-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-70-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-81-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-82-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-83-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-84-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-85-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-73-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-72-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-69-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1660-68-0x0000000002310000-0x0000000002321000-memory.dmpFilesize
68KB
-
memory/1684-104-0x0000000002590000-0x00000000025A2000-memory.dmpFilesize
72KB
-
memory/1800-19-0x0000000007570000-0x0000000007574000-memory.dmpFilesize
16KB
-
memory/1800-27-0x0000000007970000-0x0000000007974000-memory.dmpFilesize
16KB
-
memory/1800-14-0x0000000000000000-mapping.dmp
-
memory/1800-26-0x000000000796C000-0x000000000796D000-memory.dmpFilesize
4KB
-
memory/1800-25-0x00000000059D2000-0x00000000059D6000-memory.dmpFilesize
16KB
-
memory/1800-24-0x0000000007929000-0x000000000792A000-memory.dmpFilesize
4KB
-
memory/1800-22-0x0000000005DD5000-0x0000000005DD9000-memory.dmpFilesize
16KB
-
memory/1800-23-0x000000000725F000-0x0000000007263000-memory.dmpFilesize
16KB
-
memory/1992-146-0x0000000000000000-mapping.dmp
-
memory/2000-97-0x00000000039B0000-0x00000000039B4000-memory.dmpFilesize
16KB
-
memory/2000-38-0x00000000007E0000-0x00000000007E2000-memory.dmpFilesize
8KB
-
memory/2000-28-0x0000000001100000-0x0000000001104000-memory.dmpFilesize
16KB
-
memory/2000-29-0x00000000007D0000-0x00000000007D4000-memory.dmpFilesize
16KB
-
memory/2000-30-0x0000000001DE0000-0x0000000001DE4000-memory.dmpFilesize
16KB
-
memory/2000-32-0x00000000007D0000-0x00000000007D4000-memory.dmpFilesize
16KB
-
memory/2000-33-0x0000000001DE0000-0x0000000001DE4000-memory.dmpFilesize
16KB
-
memory/2000-34-0x0000000001DE0000-0x0000000001DE4000-memory.dmpFilesize
16KB
-
memory/2000-35-0x00000000007E0000-0x00000000007E2000-memory.dmpFilesize
8KB
-
memory/2000-99-0x0000000001DE0000-0x0000000001DE4000-memory.dmpFilesize
16KB
-
memory/2000-40-0x00000000039B0000-0x00000000039B4000-memory.dmpFilesize
16KB
-
memory/2000-41-0x00000000007E0000-0x00000000007E2000-memory.dmpFilesize
8KB
-
memory/2000-42-0x00000000007E0000-0x00000000007E2000-memory.dmpFilesize
8KB
-
memory/2000-43-0x00000000007E0000-0x00000000007E2000-memory.dmpFilesize
8KB
-
memory/2000-44-0x00000000007E0000-0x00000000007E2000-memory.dmpFilesize
8KB
-
memory/2000-96-0x0000000006270000-0x0000000006274000-memory.dmpFilesize
16KB
-
memory/2012-144-0x0000000000000000-mapping.dmp