NewActive.exe

General
Target

NewActive.exe

Filesize

3MB

Completed

19-11-2020 14:06

Score
8 /10
MD5

f81c3a1b8349453e85f80b1ac56f44be

SHA1

0b7f75782b2a7de6b4183414680a55f7410c71d7

SHA256

dab82dbf7e6f18b280412c26c65959538a7c184aadab205e49813c2474dc0547

Malware Config
Signatures 9

Filter: none

Discovery
  • Executes dropped EXE
    irsetup.exe

    Reported IOCs

    pidprocess
    1900irsetup.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00040000000130f7-0.datupx
    behavioral1/files/0x00040000000130f7-2.datupx
    behavioral1/files/0x00040000000130f7-3.datupx
    behavioral1/files/0x00040000000130f7-4.datupx
    behavioral1/files/0x00040000000130f7-6.datupx
    behavioral1/files/0x00040000000130f7-5.datupx
    behavioral1/files/0x00050000000130fe-7.datupx
    behavioral1/files/0x00040000000130f7-8.datupx
  • Loads dropped DLL
    NewActive.exeirsetup.exeregsvr32.exe

    Reported IOCs

    pidprocess
    344NewActive.exe
    1900irsetup.exe
    1900irsetup.exe
    1900irsetup.exe
    1900irsetup.exe
    1900irsetup.exe
    1420regsvr32.exe
    1420regsvr32.exe
    1420regsvr32.exe
    1420regsvr32.exe
    1420regsvr32.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Drops file in Program Files directory
    irsetup.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\PlayDev.dllirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\PlayDev.dllirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\dlg_top.bmpirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\playback_graphics_config.iniirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Suomi.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Japanese.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Hungarian.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Japanese.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Guide_Play.dllirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\mp_channel.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\mp_thumb.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\theme.iniirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\dlg_bottom.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Playback_graphics_Thumb.bmpirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Romanian.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\plcb_back.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\dlg_right.bmpirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\plcb_Disabled.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Greek.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\plcb_over.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Spanish.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\reg.batirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\plcb_back.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Hungarian.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Turkey.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\mp_thumb_active.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\plcb_over.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Thai.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Guide_Play.dllirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dllirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\x1_05.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\replayer_config.iniirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Thai.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Hebrew.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Turkey.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\H264Play.dllirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Spanish.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\German.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\French.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\hi_h264dec_v.dllirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Russian.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Brazilian.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\mp_channel.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\mp_channel_active.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\replayer_config.iniirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Arabic.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dllirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dllirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\mp_channel_active.JPGirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Portugal.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Korean.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Brazilian.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\AlarmEnable.xmlirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Hebrew.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\NetSdk.dllirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\plcb_normal.JPGirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Poland.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\Greek.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\German.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\English.langirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\web.ocxirsetup.exe
    File opened for modificationC:\Program Files (x86)\NetSurveillance\CMS\TradChinese.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\Suomi.langirsetup.exe
    File createdC:\Program Files (x86)\NetSurveillance\CMS\dlg_right.bmpirsetup.exe
  • Drops file in Windows directory
    irsetup.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\NetSurveillance\Uninstall\uninstall.datirsetup.exe
    File createdC:\Windows\NetSurveillance\uninstall.exeirsetup.exe
    File opened for modificationC:\Windows\NetSurveillance\Uninstall\uninstall.xmlirsetup.exe
    File opened for modificationC:\Windows\NetSurveillance\Uninstall\IRIMG1.JPGirsetup.exe
    File createdC:\Windows\NetSurveillance\Uninstall\IRIMG2.JPGirsetup.exe
    File opened for modificationC:\Windows\NetSurveillance\Uninstall\uni959B.tmpirsetup.exe
    File createdC:\Windows\NetSurveillance\Uninstall\uni959B.tmpirsetup.exe
    File createdC:\Windows\NetSurveillance\Uninstall\uninstall.datirsetup.exe
    File createdC:\Windows\NetSurveillance\Uninstall\uninstall.xmlirsetup.exe
    File createdC:\Windows\NetSurveillance\Uninstall\IRIMG1.JPGirsetup.exe
  • Modifies registry class
    regsvr32.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Insertable\regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\Version = "1.0"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib\Version = "1.0"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\Insertable\regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLibregsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLibregsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Control\regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Implemented Categoriesregsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64}\InprocServer32regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64}\ = "Web Property Page"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\ = "web ActiveX Control module"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\0regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\Version = "1.0"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\Insertableregsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\InprocServer32regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64}regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Controlregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\NetSurveillance\\CMS"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLibregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLibregsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\MiscStatus\1regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ToolboxBitmap32\ = "C:\\PROGRA~2\\NETSUR~1\\CMS\\web.ocx, 1"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\0\win32\ = "C:\\Program Files (x86)\\NetSurveillance\\CMS\\web.ocx"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\HELPDIRregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categoriesregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ProgID\ = "WEB.WebCtrl.1"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ = "_DWebEvents"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\CLSIDregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ = "_DWeb"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\CLSID\ = "{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Insertableregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\MiscStatus\1\ = "131473"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\FLAGS\ = "2"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ = "_DWeb"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib\Version = "1.0"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\MiscStatusregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\InprocServer32\ThreadingModel = "Apartment"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ToolboxBitmap32regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Versionregsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\TypeLibregsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64}\InprocServer32\ = "C:\\PROGRA~2\\NETSUR~1\\CMS\\web.ocx"regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}regsvr32.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32regsvr32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"regsvr32.exe
  • Suspicious use of SetWindowsHookEx
    irsetup.exe

    Reported IOCs

    pidprocess
    1900irsetup.exe
    1900irsetup.exe
  • Suspicious use of WriteProcessMemory
    NewActive.exeirsetup.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 344 wrote to memory of 1900344NewActive.exeirsetup.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 14201900irsetup.exeregsvr32.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1900 wrote to memory of 13361900irsetup.execmd.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 10121336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 8801336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 5281336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
    PID 1336 wrote to memory of 7601336cmd.exereg.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\NewActive.exe
    "C:\Users\Admin\AppData\Local\Temp\NewActive.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:344
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
      __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\NewActive.exe"
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\NetSurveillance\CMS\web.ocx"
        Loads dropped DLL
        Modifies registry class
        PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files (x86)\NetSurveillance\CMS\reg.bat" "
        Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f
          PID:1012
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f
          PID:880
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f
          PID:528
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f
          PID:760
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll

                          MD5

                          c287c399f1bf7a5c5347a8b937987def

                          SHA1

                          80880f5a47036b73ccd9ec60607a4b66058b2243

                          SHA256

                          49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

                          SHA512

                          67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

                        • C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll

                          MD5

                          c67952e4e72aaaf1bff335cfd22e6e79

                          SHA1

                          5eed9b36deb5029bcbb60af0996fa88e21d15807

                          SHA256

                          2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

                          SHA512

                          ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

                        • C:\Program Files (x86)\NetSurveillance\CMS\NetSDK.dll

                          MD5

                          b499957c7a57e89257140d163104046d

                          SHA1

                          ef692f98a61748ecac1e59261ba8caf0150eb79a

                          SHA256

                          a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

                          SHA512

                          a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

                        • C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll

                          MD5

                          65f495d45c50cb3b00594e77c76e1ba4

                          SHA1

                          bba3dbdcb35a9478013dae796386ade413da9d7b

                          SHA256

                          d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

                          SHA512

                          d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

                        • C:\Program Files (x86)\NetSurveillance\CMS\reg.bat

                          MD5

                          71baf73ffc3ae2a59c34767eab0208d5

                          SHA1

                          45ae47dcf0335c27fddf319f878f8ab82cf02344

                          SHA256

                          aff032368972c093443753e5959a324260a3cb7aca1f1251177c7e3249a8dc68

                          SHA512

                          ae40422dca879ff576e6accd98cdfcd77189a7a1c72de19724fe569b0553ecb6cf2ae3fb0f9f8a6f790a9a82c252753eb4488f19182853dbac8608bfbd6d47f0

                        • C:\Program Files (x86)\NetSurveillance\CMS\web.ocx

                          MD5

                          5ed1c01ded266cbe83054facf63d8299

                          SHA1

                          29d2a8e0bef198e489d96b018f20cffbc04f6f0e

                          SHA256

                          b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec

                          SHA512

                          47d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a

                        • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • \Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll

                          MD5

                          c287c399f1bf7a5c5347a8b937987def

                          SHA1

                          80880f5a47036b73ccd9ec60607a4b66058b2243

                          SHA256

                          49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

                          SHA512

                          67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

                        • \Program Files (x86)\NetSurveillance\CMS\H264Play.dll

                          MD5

                          c67952e4e72aaaf1bff335cfd22e6e79

                          SHA1

                          5eed9b36deb5029bcbb60af0996fa88e21d15807

                          SHA256

                          2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

                          SHA512

                          ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

                        • \Program Files (x86)\NetSurveillance\CMS\NetSdk.dll

                          MD5

                          b499957c7a57e89257140d163104046d

                          SHA1

                          ef692f98a61748ecac1e59261ba8caf0150eb79a

                          SHA256

                          a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

                          SHA512

                          a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

                        • \Program Files (x86)\NetSurveillance\CMS\StreamReader.dll

                          MD5

                          65f495d45c50cb3b00594e77c76e1ba4

                          SHA1

                          bba3dbdcb35a9478013dae796386ade413da9d7b

                          SHA256

                          d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

                          SHA512

                          d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

                        • \Program Files (x86)\NetSurveillance\CMS\web.ocx

                          MD5

                          5ed1c01ded266cbe83054facf63d8299

                          SHA1

                          29d2a8e0bef198e489d96b018f20cffbc04f6f0e

                          SHA256

                          b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec

                          SHA512

                          47d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a

                        • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • \Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • \Windows\NetSurveillance\uninstall.exe

                          MD5

                          75ca7ff96bf5a316c3af2de6a412bd54

                          SHA1

                          0a093950790ff0dddff6f5f29c6b02c10997e0c5

                          SHA256

                          d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

                          SHA512

                          b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

                        • memory/528-24-0x0000000000000000-mapping.dmp

                        • memory/760-25-0x0000000000000000-mapping.dmp

                        • memory/880-23-0x0000000000000000-mapping.dmp

                        • memory/1012-22-0x0000000000000000-mapping.dmp

                        • memory/1336-10-0x0000000000000000-mapping.dmp

                        • memory/1420-9-0x0000000000000000-mapping.dmp

                        • memory/1900-1-0x0000000000000000-mapping.dmp