Resubmissions
28-04-2022 20:00
220428-yrgmpafea6 819-11-2020 20:22
201119-s3p5le3qh2 819-11-2020 14:03
201119-vpjz62g6ex 8Analysis
-
max time kernel
113s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 14:03
Static task
static1
Behavioral task
behavioral1
Sample
NewActive.exe
Resource
win7v20201028
General
-
Target
NewActive.exe
-
Size
3.8MB
-
MD5
f81c3a1b8349453e85f80b1ac56f44be
-
SHA1
0b7f75782b2a7de6b4183414680a55f7410c71d7
-
SHA256
dab82dbf7e6f18b280412c26c65959538a7c184aadab205e49813c2474dc0547
-
SHA512
3fe024bb8e93bec33a2ed911e13091c6784c4eb6710262bdea8a3614ec174e7ac51d9c4a1a38d4be4b3386e44b8155780e3565a8775da7170bb1fd83ab256cea
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
irsetup.exepid process 3540 irsetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe upx -
Loads dropped DLL 10 IoCs
Processes:
regsvr32.exepid process 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe 932 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 106 IoCs
Processes:
irsetup.exedescription ioc process File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\dlg_right.bmp irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\replayer_config.ini irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\NetSdk.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\dlg_bottom.JPG irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\reg.bat irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Thai.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\French.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Brazilian.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\web.ocx irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\dlg_top.bmp irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Japanese.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Italian.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Suomi.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\mp_thumb_active.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.ini irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.ini irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\plcb_back.JPG irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\x1_01.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\theme.ini irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Romanian.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\playback_graphics_config.ini irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Hebrew.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\mp_thumb.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\hi_h264dec_v.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\dlg_left.bmp irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Portugal.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\playback_graphics_config.ini irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Korean.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Playback_graphics_Thumb.bmp irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\PlayDev.dll irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\mp_channel.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\x1_05.JPG irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\Arabic.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Guide_Play.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\plcb_over.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\plcb_normal.JPG irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\dlg_bottom.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Russian.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Japanese.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Arabic.lang irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\PlayDev.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Romanian.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\German.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\AlarmEnable.xml irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\Hungarian.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\French.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\English.lang irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\AlarmEnable.xml irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\x1_01.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\x1_05.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\web.ocx irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\dlg_right.bmp irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll irsetup.exe File created C:\Program Files (x86)\NetSurveillance\CMS\plcb_normal.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\mp_thumb_active.JPG irsetup.exe File opened for modification C:\Program Files (x86)\NetSurveillance\CMS\x1_03.JPG irsetup.exe -
Drops file in Windows directory 10 IoCs
Processes:
irsetup.exedescription ioc process File opened for modification C:\Windows\NetSurveillance\Uninstall\uni96C7.tmp irsetup.exe File created C:\Windows\NetSurveillance\Uninstall\uninstall.dat irsetup.exe File created C:\Windows\NetSurveillance\Uninstall\IRIMG1.JPG irsetup.exe File opened for modification C:\Windows\NetSurveillance\Uninstall\uninstall.dat irsetup.exe File created C:\Windows\NetSurveillance\Uninstall\uni96C7.tmp irsetup.exe File created C:\Windows\NetSurveillance\uninstall.exe irsetup.exe File opened for modification C:\Windows\NetSurveillance\Uninstall\uninstall.xml irsetup.exe File created C:\Windows\NetSurveillance\Uninstall\uninstall.xml irsetup.exe File opened for modification C:\Windows\NetSurveillance\Uninstall\IRIMG1.JPG irsetup.exe File created C:\Windows\NetSurveillance\Uninstall\IRIMG2.JPG irsetup.exe -
Modifies registry class 75 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ = "_DWeb" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\ = "web ActiveX Control module" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\CLSID\ = "{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\Insertable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1\Insertable\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ = "_DWebEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\InprocServer32\ = "C:\\PROGRA~2\\NETSUR~1\\CMS\\web.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Insertable\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ = "Web Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ToolboxBitmap32\ = "C:\\PROGRA~2\\NETSUR~1\\CMS\\web.ocx, 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Control\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WEB.WebCtrl.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\0\win32\ = "C:\\Program Files (x86)\\NetSurveillance\\CMS\\web.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\ = "_DWebEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Insertable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ = "_DWeb" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ProgID\ = "WEB.WebCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4BEBA3D-FD92-46FD-967B-2325E8F6DA64}\InprocServer32\ = "C:\\PROGRA~2\\NETSUR~1\\CMS\\web.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B6AF2C8-F8A9-422D-A5F9-3D4CE68A5642}\TypeLib\ = "{6D60F905-E3E8-4A85-B383-E7FCF6926221}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD3BEB0C-AB43-4253-9146-C371D48FBE0D}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D60F905-E3E8-4A85-B383-E7FCF6926221}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25D9C04A-2169-458A-85C1-F62C526ADF9C} regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
irsetup.exepid process 3540 irsetup.exe 3540 irsetup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
NewActive.exeirsetup.execmd.exedescription pid process target process PID 500 wrote to memory of 3540 500 NewActive.exe irsetup.exe PID 500 wrote to memory of 3540 500 NewActive.exe irsetup.exe PID 500 wrote to memory of 3540 500 NewActive.exe irsetup.exe PID 3540 wrote to memory of 932 3540 irsetup.exe regsvr32.exe PID 3540 wrote to memory of 932 3540 irsetup.exe regsvr32.exe PID 3540 wrote to memory of 932 3540 irsetup.exe regsvr32.exe PID 3540 wrote to memory of 3560 3540 irsetup.exe cmd.exe PID 3540 wrote to memory of 3560 3540 irsetup.exe cmd.exe PID 3540 wrote to memory of 3560 3540 irsetup.exe cmd.exe PID 3560 wrote to memory of 3976 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3976 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3976 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3808 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3808 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3808 3560 cmd.exe reg.exe PID 3560 wrote to memory of 2080 3560 cmd.exe reg.exe PID 3560 wrote to memory of 2080 3560 cmd.exe reg.exe PID 3560 wrote to memory of 2080 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3552 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3552 3560 cmd.exe reg.exe PID 3560 wrote to memory of 3552 3560 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NewActive.exe"C:\Users\Admin\AppData\Local\Temp\NewActive.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\NewActive.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\NetSurveillance\CMS\web.ocx"3⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\NetSurveillance\CMS\reg.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dllMD5
c287c399f1bf7a5c5347a8b937987def
SHA180880f5a47036b73ccd9ec60607a4b66058b2243
SHA25649eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b
SHA51267f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018
-
C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dllMD5
c67952e4e72aaaf1bff335cfd22e6e79
SHA15eed9b36deb5029bcbb60af0996fa88e21d15807
SHA2562350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a
SHA512ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e
-
C:\Program Files (x86)\NetSurveillance\CMS\NetSDK.dllMD5
b499957c7a57e89257140d163104046d
SHA1ef692f98a61748ecac1e59261ba8caf0150eb79a
SHA256a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654
SHA512a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86
-
C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dllMD5
65f495d45c50cb3b00594e77c76e1ba4
SHA1bba3dbdcb35a9478013dae796386ade413da9d7b
SHA256d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c
SHA512d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1
-
C:\Program Files (x86)\NetSurveillance\CMS\reg.batMD5
71baf73ffc3ae2a59c34767eab0208d5
SHA145ae47dcf0335c27fddf319f878f8ab82cf02344
SHA256aff032368972c093443753e5959a324260a3cb7aca1f1251177c7e3249a8dc68
SHA512ae40422dca879ff576e6accd98cdfcd77189a7a1c72de19724fe569b0553ecb6cf2ae3fb0f9f8a6f790a9a82c252753eb4488f19182853dbac8608bfbd6d47f0
-
C:\Program Files (x86)\NetSurveillance\CMS\web.ocxMD5
5ed1c01ded266cbe83054facf63d8299
SHA129d2a8e0bef198e489d96b018f20cffbc04f6f0e
SHA256b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec
SHA51247d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeMD5
75ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exeMD5
75ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4
-
\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dllMD5
c287c399f1bf7a5c5347a8b937987def
SHA180880f5a47036b73ccd9ec60607a4b66058b2243
SHA25649eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b
SHA51267f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018
-
\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dllMD5
c287c399f1bf7a5c5347a8b937987def
SHA180880f5a47036b73ccd9ec60607a4b66058b2243
SHA25649eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b
SHA51267f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018
-
\Program Files (x86)\NetSurveillance\CMS\H264Play.dllMD5
c67952e4e72aaaf1bff335cfd22e6e79
SHA15eed9b36deb5029bcbb60af0996fa88e21d15807
SHA2562350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a
SHA512ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e
-
\Program Files (x86)\NetSurveillance\CMS\H264Play.dllMD5
c67952e4e72aaaf1bff335cfd22e6e79
SHA15eed9b36deb5029bcbb60af0996fa88e21d15807
SHA2562350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a
SHA512ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e
-
\Program Files (x86)\NetSurveillance\CMS\NetSdk.dllMD5
b499957c7a57e89257140d163104046d
SHA1ef692f98a61748ecac1e59261ba8caf0150eb79a
SHA256a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654
SHA512a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86
-
\Program Files (x86)\NetSurveillance\CMS\NetSdk.dllMD5
b499957c7a57e89257140d163104046d
SHA1ef692f98a61748ecac1e59261ba8caf0150eb79a
SHA256a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654
SHA512a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86
-
\Program Files (x86)\NetSurveillance\CMS\StreamReader.dllMD5
65f495d45c50cb3b00594e77c76e1ba4
SHA1bba3dbdcb35a9478013dae796386ade413da9d7b
SHA256d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c
SHA512d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1
-
\Program Files (x86)\NetSurveillance\CMS\StreamReader.dllMD5
65f495d45c50cb3b00594e77c76e1ba4
SHA1bba3dbdcb35a9478013dae796386ade413da9d7b
SHA256d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c
SHA512d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1
-
\Program Files (x86)\NetSurveillance\CMS\StreamReader.dllMD5
65f495d45c50cb3b00594e77c76e1ba4
SHA1bba3dbdcb35a9478013dae796386ade413da9d7b
SHA256d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c
SHA512d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1
-
\Program Files (x86)\NetSurveillance\CMS\web.ocxMD5
5ed1c01ded266cbe83054facf63d8299
SHA129d2a8e0bef198e489d96b018f20cffbc04f6f0e
SHA256b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec
SHA51247d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a
-
memory/932-3-0x0000000000000000-mapping.dmp
-
memory/2080-23-0x0000000000000000-mapping.dmp
-
memory/3540-0-0x0000000000000000-mapping.dmp
-
memory/3552-24-0x0000000000000000-mapping.dmp
-
memory/3560-4-0x0000000000000000-mapping.dmp
-
memory/3808-22-0x0000000000000000-mapping.dmp
-
memory/3976-21-0x0000000000000000-mapping.dmp