Analysis
-
max time kernel
126s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:56
General
-
Target
4253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d.exe
-
Size
2.6MB
-
MD5
cd796c648d34c5ecd50b1e05a1ba2300
-
SHA1
bfaf62622d255bd1f9a2cd60996f0f5c17628f71
-
SHA256
4253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
-
SHA512
8a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 21 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 7 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d.exe"C:\Users\Admin\AppData\Local\Temp\4253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\775478.vbs"2⤵
-
C:\Users\Admin\AppData\Local\Temp\204.#.exeC:\Users\Admin\AppData\Local\Temp\204.#.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\183315.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\308.#.exeC:\Users\Admin\AppData\Local\Temp\308.#.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\726284.vbs"4⤵
-
C:\Users\Admin\AppData\Local\Temp\780.#.exeC:\Users\Admin\AppData\Local\Temp\780.#.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\141445.vbs"5⤵
-
C:\Users\Admin\AppData\Local\Temp\59.#.exeC:\Users\Admin\AppData\Local\Temp\59.#.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\150844.vbs"6⤵
-
C:\Users\Admin\AppData\Local\Temp\38.#.exeC:\Users\Admin\AppData\Local\Temp\38.#.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll7⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\10906.vbs"7⤵
-
C:\Users\Admin\AppData\Local\Temp\142.#.exeC:\Users\Admin\AppData\Local\Temp\142.#.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s scrrun.dll8⤵
- Modifies registry class
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\382488.vbs"8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\10a0699fa37928d39c\spfirewall.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe$MD5
931c0ee123d721a83dd357c73c6e84e6
SHA16cf8b7857528f6f9f32349b6ed41ca11faeee83e
SHA256d55f6d133c9f66fb94c232657c4a9c57f95c457dd3bec2ca0a44aa325f7b8aea
SHA5120a34c1bd7ad5b1d63845ef30e29545aad2bdb6443da823d1da4242f1f71b92ffc6b5744f2e9824fe4091edc4e0ba2da66022b8c0183202b202299cc553b75952
-
C:\Program Files\Java\jdk1.8.0_66\bin\jps.exeMD5
45efe7e2c9e462e1990a5dd8608afc96
SHA1f2254c90a102501ee6d6317f3d4b942e222fd4ff
SHA256a85aa9c711b4bb4122a368fd22f345e1f9724cd9e1a0402076af88573a7541ad
SHA512a3983ee1f687cdb707a8a765b08490763857d12a04be82a50837aba2d3b9d2916989276a3b6dcde1340607cad8c8bbe4e21c479d793e59c4f4349a77dc201573
-
C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe$MD5
45efe7e2c9e462e1990a5dd8608afc96
SHA1f2254c90a102501ee6d6317f3d4b942e222fd4ff
SHA256a85aa9c711b4bb4122a368fd22f345e1f9724cd9e1a0402076af88573a7541ad
SHA512a3983ee1f687cdb707a8a765b08490763857d12a04be82a50837aba2d3b9d2916989276a3b6dcde1340607cad8c8bbe4e21c479d793e59c4f4349a77dc201573
-
C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe$MD5
45efe7e2c9e462e1990a5dd8608afc96
SHA1f2254c90a102501ee6d6317f3d4b942e222fd4ff
SHA256a85aa9c711b4bb4122a368fd22f345e1f9724cd9e1a0402076af88573a7541ad
SHA512a3983ee1f687cdb707a8a765b08490763857d12a04be82a50837aba2d3b9d2916989276a3b6dcde1340607cad8c8bbe4e21c479d793e59c4f4349a77dc201573
-
C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe$MD5
abec2256381198c9db4cc418de465b6f
SHA1e8ba37b956cf916615c7cf36311d30a474835e30
SHA2560f61abf00d9893a70e6f1be3ea7c609cf8289d7001783535ce61050b783c7342
SHA5127271f72c480851dd97b3f4640e81e22a8ad89887a1fd846b4bf3d90d2f295165e2cf91ec21fced68a804b992f2c4f9cff0c29b70e2f4b23a67f72d42152f19f0
-
C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe$MD5
6f028ff5b76c8625fb28bd8beaf6e144
SHA1a123feb6c079424abb84d71bf863c91f87517457
SHA256c5de37facb2525c990673e8f608c07f6a2bc140e58ce6d47a89fdfc0bebc3a1a
SHA5124ccdf36790586f9c48fcaf782f2be4e851dc1bd6584ec99b50eb878123bd7ec53e4613bc96a7c8f1ed964634e4ed32503657c4ddc62e3139553f783072a22d4a
-
C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe$MD5
e6b3499fa5abb9a3e781c9f9a9c5d2b6
SHA13aa759815542bc0bd3fbf13017ec3ef35fc345e6
SHA256c7c407e4d2be1e5b9c89583e2dc54078db34368b96c3960b9f361dac84651ac3
SHA5124eb702ae8c04360cbe0553a853d6b5f77171e4171cfb5ec713f2255f62a28c8636c910c13ba93e51d0723fa724c9769347d62292a76eddde98a0b7917c87078f
-
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE$MD5
83e4daf335597fb3e7256a3638767f2b
SHA11f89d44d865c910bd388d1f0075255c785e3efaa
SHA256f85136fa305a374ce6514315b2bb0e7b6c6add1a6155382d70ed0a5e0c2b7410
SHA5122a789c54db6cff13283ca84e1fedd1b747016c6c024260c3cd9aa38c24463d0f447a3f502b6046d998de620bcac7d23e4e46327fa40f5ed8df7ac7a569403de0
-
C:\Users\Admin\AppData\Local\Temp\142.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\142.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\204.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\204.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\308.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\308.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\38.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\38.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\59.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\59.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\780.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\Users\Admin\AppData\Local\Temp\780.#.exeMD5
cd796c648d34c5ecd50b1e05a1ba2300
SHA1bfaf62622d255bd1f9a2cd60996f0f5c17628f71
SHA2564253c4df27e579d4bd16a83e63978cb1b580118f895a3ed51198ad04c620913d
SHA5128a33f3a42a3675ab0115249ecbeb5fd559faaa32f5286356e892eda6bf860bda449002c201ea46fa1e35d8b8ddb2b7bef43d8cee1ba6b5019899935ff5f957b5
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\10906.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\141445.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\150844.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\183315.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\382488.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\726284.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
C:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\2C10A89\775478.vbsMD5
e98740f59246b23b0d7f73f141f24d47
SHA11bfd55b3f13c85f94e1694bffa89a2d79a61a630
SHA25668af315a2e48e340c71d9235a050dac6f82ac1c10fcc4b7158aeb32230530a9a
SHA512d00ecfc709dc1fc912203f98118a6c47d7a01dfd13f8bf1acd3a7cc9a80ad184507788b027990af47659505e5a09e61f852f73e6529766429a2af8bf0358e928
-
memory/380-144-0x0000000000000000-mapping.dmp
-
memory/576-171-0x0000000000000000-mapping.dmp
-
memory/944-119-0x0000000000000000-mapping.dmp
-
memory/1456-128-0x0000000000000000-mapping.dmp
-
memory/1964-165-0x0000000000000000-mapping.dmp
-
memory/2116-136-0x0000000000000000-mapping.dmp
-
memory/2224-149-0x0000000000000000-mapping.dmp
-
memory/2288-126-0x0000000000000000-mapping.dmp
-
memory/2304-116-0x0000000000000000-mapping.dmp
-
memory/2328-124-0x0000000000000000-mapping.dmp
-
memory/2500-155-0x0000000000000000-mapping.dmp
-
memory/2608-141-0x0000000000000000-mapping.dmp
-
memory/2892-160-0x0000000000000000-mapping.dmp
-
memory/3244-150-0x0000000000000000-mapping.dmp
-
memory/3264-173-0x0000000000000000-mapping.dmp
-
memory/3580-117-0x0000000000000000-mapping.dmp
-
memory/3676-133-0x0000000000000000-mapping.dmp
-
memory/3680-134-0x0000000000000000-mapping.dmp
-
memory/3832-142-0x0000000000000000-mapping.dmp
-
memory/4056-162-0x0000000000000000-mapping.dmp