Resubmissions

28-04-2022 20:00

220428-yrgmpafea6 8

19-11-2020 20:22

201119-s3p5le3qh2 8

19-11-2020 14:03

201119-vpjz62g6ex 8

Analysis

  • max time kernel
    113s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 14:03

General

  • Target

    NewActive.exe

  • Size

    3.8MB

  • MD5

    f81c3a1b8349453e85f80b1ac56f44be

  • SHA1

    0b7f75782b2a7de6b4183414680a55f7410c71d7

  • SHA256

    dab82dbf7e6f18b280412c26c65959538a7c184aadab205e49813c2474dc0547

  • SHA512

    3fe024bb8e93bec33a2ed911e13091c6784c4eb6710262bdea8a3614ec174e7ac51d9c4a1a38d4be4b3386e44b8155780e3565a8775da7170bb1fd83ab256cea

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 106 IoCs
  • Drops file in Windows directory 10 IoCs
  • Modifies registry class 75 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NewActive.exe
    "C:\Users\Admin\AppData\Local\Temp\NewActive.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
      __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\NewActive.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\NetSurveillance\CMS\web.ocx"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\NetSurveillance\CMS\reg.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f
          4⤵
            PID:3976
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f
            4⤵
              PID:3808
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFWeb" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npWebPlugin.dll" /f
              4⤵
                PID:2080
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\JFGuide" /v Path /t REG_SZ /d "C:\Program Files (x86)\NetSurveillance\CMS\npGuide.dll" /f
                4⤵
                  PID:3552

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Discovery

          Query Registry

          1
          T1012

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll
            MD5

            c287c399f1bf7a5c5347a8b937987def

            SHA1

            80880f5a47036b73ccd9ec60607a4b66058b2243

            SHA256

            49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

            SHA512

            67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

          • C:\Program Files (x86)\NetSurveillance\CMS\H264Play.dll
            MD5

            c67952e4e72aaaf1bff335cfd22e6e79

            SHA1

            5eed9b36deb5029bcbb60af0996fa88e21d15807

            SHA256

            2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

            SHA512

            ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

          • C:\Program Files (x86)\NetSurveillance\CMS\NetSDK.dll
            MD5

            b499957c7a57e89257140d163104046d

            SHA1

            ef692f98a61748ecac1e59261ba8caf0150eb79a

            SHA256

            a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

            SHA512

            a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

          • C:\Program Files (x86)\NetSurveillance\CMS\StreamReader.dll
            MD5

            65f495d45c50cb3b00594e77c76e1ba4

            SHA1

            bba3dbdcb35a9478013dae796386ade413da9d7b

            SHA256

            d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

            SHA512

            d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

          • C:\Program Files (x86)\NetSurveillance\CMS\reg.bat
            MD5

            71baf73ffc3ae2a59c34767eab0208d5

            SHA1

            45ae47dcf0335c27fddf319f878f8ab82cf02344

            SHA256

            aff032368972c093443753e5959a324260a3cb7aca1f1251177c7e3249a8dc68

            SHA512

            ae40422dca879ff576e6accd98cdfcd77189a7a1c72de19724fe569b0553ecb6cf2ae3fb0f9f8a6f790a9a82c252753eb4488f19182853dbac8608bfbd6d47f0

          • C:\Program Files (x86)\NetSurveillance\CMS\web.ocx
            MD5

            5ed1c01ded266cbe83054facf63d8299

            SHA1

            29d2a8e0bef198e489d96b018f20cffbc04f6f0e

            SHA256

            b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec

            SHA512

            47d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a

          • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
            MD5

            75ca7ff96bf5a316c3af2de6a412bd54

            SHA1

            0a093950790ff0dddff6f5f29c6b02c10997e0c5

            SHA256

            d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

            SHA512

            b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

          • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
            MD5

            75ca7ff96bf5a316c3af2de6a412bd54

            SHA1

            0a093950790ff0dddff6f5f29c6b02c10997e0c5

            SHA256

            d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

            SHA512

            b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

          • \Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll
            MD5

            c287c399f1bf7a5c5347a8b937987def

            SHA1

            80880f5a47036b73ccd9ec60607a4b66058b2243

            SHA256

            49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

            SHA512

            67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

          • \Program Files (x86)\NetSurveillance\CMS\ConfigModule.dll
            MD5

            c287c399f1bf7a5c5347a8b937987def

            SHA1

            80880f5a47036b73ccd9ec60607a4b66058b2243

            SHA256

            49eea28838501b13352045acc34f8ce693c858606b98ceac51d09511662ae21b

            SHA512

            67f646746a9ea6e6e0af0071d643ee5b79634b6298d543054403c33ac19b44b7b52946e58cb6600d4db9d421b4ac1581aad743d54f828d259b5b397056cd2018

          • \Program Files (x86)\NetSurveillance\CMS\H264Play.dll
            MD5

            c67952e4e72aaaf1bff335cfd22e6e79

            SHA1

            5eed9b36deb5029bcbb60af0996fa88e21d15807

            SHA256

            2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

            SHA512

            ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

          • \Program Files (x86)\NetSurveillance\CMS\H264Play.dll
            MD5

            c67952e4e72aaaf1bff335cfd22e6e79

            SHA1

            5eed9b36deb5029bcbb60af0996fa88e21d15807

            SHA256

            2350d458fd1d8aa7c43a6b4ef819f7a0a8eb06b535a81c0ac0f17c3779499c1a

            SHA512

            ed62e89b106788884c4db30d2deac9f17669f7fd4828881ae82d6360f765d8f3a6dc2d8d32db5450e90a8d1a293a80e9f4c4e3f8439890afd1e09a4f35bc1a6e

          • \Program Files (x86)\NetSurveillance\CMS\NetSdk.dll
            MD5

            b499957c7a57e89257140d163104046d

            SHA1

            ef692f98a61748ecac1e59261ba8caf0150eb79a

            SHA256

            a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

            SHA512

            a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

          • \Program Files (x86)\NetSurveillance\CMS\NetSdk.dll
            MD5

            b499957c7a57e89257140d163104046d

            SHA1

            ef692f98a61748ecac1e59261ba8caf0150eb79a

            SHA256

            a060f8d4773bc985e683d536232ed57d83bf9190e0341317bfcf1f064d410654

            SHA512

            a3449609571dcffbd256ad016b2921176dac7ab825062f4ae963c8081a9b672796d7a87448213ca68afdef7c48626f0a89c2ff1e1db324fe8816ce9fa6666f86

          • \Program Files (x86)\NetSurveillance\CMS\StreamReader.dll
            MD5

            65f495d45c50cb3b00594e77c76e1ba4

            SHA1

            bba3dbdcb35a9478013dae796386ade413da9d7b

            SHA256

            d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

            SHA512

            d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

          • \Program Files (x86)\NetSurveillance\CMS\StreamReader.dll
            MD5

            65f495d45c50cb3b00594e77c76e1ba4

            SHA1

            bba3dbdcb35a9478013dae796386ade413da9d7b

            SHA256

            d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

            SHA512

            d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

          • \Program Files (x86)\NetSurveillance\CMS\StreamReader.dll
            MD5

            65f495d45c50cb3b00594e77c76e1ba4

            SHA1

            bba3dbdcb35a9478013dae796386ade413da9d7b

            SHA256

            d809c40e0698d3196d9a6760e3705a1e8bf65c769e67ec87df6175b85f6c420c

            SHA512

            d4465031b983bf5dffccdc5c07342424c3396798c920b719b24190cfc1e735903f585c773df5e49bdc200145c126f87655d860ddf494c495259bde2292ac72b1

          • \Program Files (x86)\NetSurveillance\CMS\web.ocx
            MD5

            5ed1c01ded266cbe83054facf63d8299

            SHA1

            29d2a8e0bef198e489d96b018f20cffbc04f6f0e

            SHA256

            b83740792fc73299e8ea6640a1b2d6bc923ff1fc657482f09f5cbf59ef290dec

            SHA512

            47d0c3d62d9b6760ab2d51c08fc1e735e0d7f183e07d5c932e26d740bef6ad7af5c3fda54d8b0442841cbd15984ebaa043203f33a86aae73bd63b3970b100b0a

          • memory/932-3-0x0000000000000000-mapping.dmp
          • memory/2080-23-0x0000000000000000-mapping.dmp
          • memory/3540-0-0x0000000000000000-mapping.dmp
          • memory/3552-24-0x0000000000000000-mapping.dmp
          • memory/3560-4-0x0000000000000000-mapping.dmp
          • memory/3808-22-0x0000000000000000-mapping.dmp
          • memory/3976-21-0x0000000000000000-mapping.dmp