Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
3577889cdae96c45ac86d0fabe6723b0.exe
Resource
win7v20210408
General
-
Target
3577889cdae96c45ac86d0fabe6723b0.exe
-
Size
636KB
-
MD5
3577889cdae96c45ac86d0fabe6723b0
-
SHA1
814ba96911f17ded4808b2776ebb43db3d3d2656
-
SHA256
71bc38f1873dde28c4a2a7605527adc649ffa6510b907b2698990fd5ee49f5c8
-
SHA512
bd7490bf182762ba0acee9f49e486c94c4b9c67e029f47b0782b9223f0a88d497e24a9f54b220e7f095a1f2f6149d6981e816adeacf9e7971b6e3ed7c48e866d
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 54 2956 WScript.exe 58 2956 WScript.exe 60 2956 WScript.exe 62 2956 WScript.exe 73 2884 rundll32.exe 76 204 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
QGMDJMHPWckEJ.exevpn.exe4.exeCheope.exe.comCheope.exe.comSmartClock.exemybrpmu.exepid process 3884 QGMDJMHPWckEJ.exe 756 vpn.exe 2864 4.exe 2956 Cheope.exe.com 3784 Cheope.exe.com 3712 SmartClock.exe 1792 mybrpmu.exe -
Drops startup file 1 IoCs
Processes:
4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 4 IoCs
Processes:
QGMDJMHPWckEJ.exerundll32.exeRUNDLL32.EXEpid process 3884 QGMDJMHPWckEJ.exe 2884 rundll32.exe 2884 rundll32.exe 204 RUNDLL32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
QGMDJMHPWckEJ.exerundll32.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll QGMDJMHPWckEJ.exe File created C:\Program Files (x86)\foler\olader\acledit.dll QGMDJMHPWckEJ.exe File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe File created C:\Program Files (x86)\foler\olader\acppage.dll QGMDJMHPWckEJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Cheope.exe.comRUNDLL32.EXE3577889cdae96c45ac86d0fabe6723b0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Cheope.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3577889cdae96c45ac86d0fabe6723b0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3577889cdae96c45ac86d0fabe6723b0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Cheope.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE -
Modifies registry class 1 IoCs
Processes:
Cheope.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Cheope.exe.com -
Processes:
WScript.exeRUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54AE86E30785445097D18549FABB94427E1B1331 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54AE86E30785445097D18549FABB94427E1B1331\Blob = 03000000010000001400000054ae86e30785445097d18549fabb94427e1b1331200000000100000026020000308202223082018ba00302010202080bf62f67053ccc34300d06092a864886f70d01010b05003030312e302c06035504030c254d693263726f736f667420526f6f7420436572746966696361746520417574686f72697479301e170d3139303732313132333830375a170d3233303732303132333830375a3030312e302c06035504030c254d693263726f736f667420526f6f7420436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c6464c5aad4dd65c124ea2990c9d4eeaacfe45651f29fb6d0f21ce700587fd8673023fbb21384545a22cf4b8b2e62d53665497931c01b0e8b8b5d7ceeac33782c3a6c3bf139262b8122016be57568420032430c1771e1767dbcf207e1bdd4df55bdcd110d5823f21d011c3f912e6a08e5767d3226c804ab312e90aeda728003d0203010001a3453043300f0603551d130101ff040530030101ff30300603551d110429302782254d693263726f736f667420526f6f7420436572746966696361746520417574686f72697479300d06092a864886f70d01010b050003818100933b53b0c1e6bdbc8e281441710742195f4d1a76c1a716164276c7a33d2d3125ed6c19834ef8d91d556a0f248d4cd2c99c7d6497333c8f4fe961b99cdb3ab7d1676a3f96d5dee56c1661b85fc90e6a7c319a8bdb93d87aa2fb129766e53844fff22ceae91d39b19faa5d8004bac5004bba83b99b15dc28889e2c518898256374 RUNDLL32.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 3712 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
RUNDLL32.EXEpowershell.exepid process 204 RUNDLL32.EXE 204 RUNDLL32.EXE 204 RUNDLL32.EXE 204 RUNDLL32.EXE 204 RUNDLL32.EXE 204 RUNDLL32.EXE 3612 powershell.exe 3612 powershell.exe 3612 powershell.exe 204 RUNDLL32.EXE 204 RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RUNDLL32.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 204 RUNDLL32.EXE Token: SeDebugPrivilege 3612 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 204 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
3577889cdae96c45ac86d0fabe6723b0.exeQGMDJMHPWckEJ.exevpn.execmd.execmd.exeCheope.exe.com4.exeCheope.exe.commybrpmu.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 3980 wrote to memory of 3884 3980 3577889cdae96c45ac86d0fabe6723b0.exe QGMDJMHPWckEJ.exe PID 3980 wrote to memory of 3884 3980 3577889cdae96c45ac86d0fabe6723b0.exe QGMDJMHPWckEJ.exe PID 3980 wrote to memory of 3884 3980 3577889cdae96c45ac86d0fabe6723b0.exe QGMDJMHPWckEJ.exe PID 3884 wrote to memory of 756 3884 QGMDJMHPWckEJ.exe vpn.exe PID 3884 wrote to memory of 756 3884 QGMDJMHPWckEJ.exe vpn.exe PID 3884 wrote to memory of 756 3884 QGMDJMHPWckEJ.exe vpn.exe PID 3884 wrote to memory of 2864 3884 QGMDJMHPWckEJ.exe 4.exe PID 3884 wrote to memory of 2864 3884 QGMDJMHPWckEJ.exe 4.exe PID 3884 wrote to memory of 2864 3884 QGMDJMHPWckEJ.exe 4.exe PID 756 wrote to memory of 764 756 vpn.exe cmd.exe PID 756 wrote to memory of 764 756 vpn.exe cmd.exe PID 756 wrote to memory of 764 756 vpn.exe cmd.exe PID 764 wrote to memory of 3356 764 cmd.exe cmd.exe PID 764 wrote to memory of 3356 764 cmd.exe cmd.exe PID 764 wrote to memory of 3356 764 cmd.exe cmd.exe PID 3356 wrote to memory of 3352 3356 cmd.exe findstr.exe PID 3356 wrote to memory of 3352 3356 cmd.exe findstr.exe PID 3356 wrote to memory of 3352 3356 cmd.exe findstr.exe PID 3356 wrote to memory of 2956 3356 cmd.exe Cheope.exe.com PID 3356 wrote to memory of 2956 3356 cmd.exe Cheope.exe.com PID 3356 wrote to memory of 2956 3356 cmd.exe Cheope.exe.com PID 3356 wrote to memory of 1416 3356 cmd.exe PING.EXE PID 3356 wrote to memory of 1416 3356 cmd.exe PING.EXE PID 3356 wrote to memory of 1416 3356 cmd.exe PING.EXE PID 2956 wrote to memory of 3784 2956 Cheope.exe.com Cheope.exe.com PID 2956 wrote to memory of 3784 2956 Cheope.exe.com Cheope.exe.com PID 2956 wrote to memory of 3784 2956 Cheope.exe.com Cheope.exe.com PID 2864 wrote to memory of 3712 2864 4.exe SmartClock.exe PID 2864 wrote to memory of 3712 2864 4.exe SmartClock.exe PID 2864 wrote to memory of 3712 2864 4.exe SmartClock.exe PID 3784 wrote to memory of 1792 3784 Cheope.exe.com mybrpmu.exe PID 3784 wrote to memory of 1792 3784 Cheope.exe.com mybrpmu.exe PID 3784 wrote to memory of 1792 3784 Cheope.exe.com mybrpmu.exe PID 3784 wrote to memory of 3400 3784 Cheope.exe.com WScript.exe PID 3784 wrote to memory of 3400 3784 Cheope.exe.com WScript.exe PID 3784 wrote to memory of 3400 3784 Cheope.exe.com WScript.exe PID 1792 wrote to memory of 2884 1792 mybrpmu.exe rundll32.exe PID 1792 wrote to memory of 2884 1792 mybrpmu.exe rundll32.exe PID 1792 wrote to memory of 2884 1792 mybrpmu.exe rundll32.exe PID 3784 wrote to memory of 2956 3784 Cheope.exe.com WScript.exe PID 3784 wrote to memory of 2956 3784 Cheope.exe.com WScript.exe PID 3784 wrote to memory of 2956 3784 Cheope.exe.com WScript.exe PID 2884 wrote to memory of 204 2884 rundll32.exe RUNDLL32.EXE PID 2884 wrote to memory of 204 2884 rundll32.exe RUNDLL32.EXE PID 2884 wrote to memory of 204 2884 rundll32.exe RUNDLL32.EXE PID 204 wrote to memory of 3612 204 RUNDLL32.EXE powershell.exe PID 204 wrote to memory of 3612 204 RUNDLL32.EXE powershell.exe PID 204 wrote to memory of 3612 204 RUNDLL32.EXE powershell.exe PID 204 wrote to memory of 2804 204 RUNDLL32.EXE powershell.exe PID 204 wrote to memory of 2804 204 RUNDLL32.EXE powershell.exe PID 204 wrote to memory of 2804 204 RUNDLL32.EXE powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3577889cdae96c45ac86d0fabe6723b0.exe"C:\Users\Admin\AppData\Local\Temp\3577889cdae96c45ac86d0fabe6723b0.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exe"C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Narcotico.mpg4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hPzBSAzErWqivIhideydXrkRLKibeyeZLrCfJgdYSSNmkzflOaKfcWKpDCPozVBXTwvauYbeMubyfLGaxWJKcMEOzaLinoFWsPGpXXrPUIDgnFURVbNvjQCuvHZOhd$" Sua.mpg6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.comCheope.exe.com T6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com T7⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe"C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP,S C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP,UDcZa1FpMjZP10⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp61A4.tmp.ps1"11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6FDF.tmp.ps1"11⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hwwpfwqkkkk.vbs"8⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bhxbbxeyjxvm.vbs"8⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 306⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
8303b2caddfa02d1e3bd7796fc8f36e0
SHA1b1b02156710b146139620b5fb8bf90ab8a3de615
SHA256b1228441b57de321998f4697c8d62dd7ad676e032b52a7539171f10dafe7765d
SHA51209f16b9281154f91c68b3609fe4468786be41005b3ce3af6997f11b7610a73ef61b8168ff093a375cae439f5231f1708bc33b05a9d566bdf5c74a590681773df
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chi.mpgMD5
9ded2c093bd49c32b9f1f06265aad843
SHA13c0c5581544628f6c47fd54dc21189f7a6999c5b
SHA256f815800751e3b1be3be88e4a586654fac0bc459cf85080c3eccfad8395472fa5
SHA5128ac2b6bc0dbdf7858fc8a92c1d2c2cdf17deb92ebcffd2ce7cdebbee35c2683a0e706843d0a4daa4f069614b55e06799c9d47e121aabae6ad32551fa630fa12a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Narcotico.mpgMD5
7435f0e8e46ca0dc11d2a3d7ed31a2ea
SHA1a74f19d3e59d6c1c6a7812b1f3a7beaae1af4a9d
SHA256c7ec9ee50643fe5757eb476e391bc30ee5bcb2b5c6537bdf29a05e8ce3b17ef5
SHA5122f158c1ad931ea784ee6e52c1997875cad44666c61763ce3388780f806664eee31aa528d0bcdf067f978ff65500d11725312baf3f4c1a0c1de4eb09d6f444816
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sua.mpgMD5
15db6ccd633040cf4269f4a5daa60267
SHA17a8af5e0756cccf7928a3d933159088c00548dbb
SHA25641f682dc4f24157205acf41d09080db3fcc8e85e8bc54b356125a6f90c2806e1
SHA5126e32668bb461ea1115070c4a1dd67e85252fb375bef80a34a9eceb11d9680dc3b97e912e849d551983f195d23c2301e1120193445364861746304a1c6d084783
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\TMD5
9ded2c093bd49c32b9f1f06265aad843
SHA13c0c5581544628f6c47fd54dc21189f7a6999c5b
SHA256f815800751e3b1be3be88e4a586654fac0bc459cf85080c3eccfad8395472fa5
SHA5128ac2b6bc0dbdf7858fc8a92c1d2c2cdf17deb92ebcffd2ce7cdebbee35c2683a0e706843d0a4daa4f069614b55e06799c9d47e121aabae6ad32551fa630fa12a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Voto.mpgMD5
3283e74b35b87067c626c6debc4c647c
SHA125aa5813f536679b608be59cb83c49f1ddc45355
SHA256304e165665671e909c9bd719acef33b3d6029462aa0079f075b1effc5b58ed01
SHA5123a1b73cb5162fb697d74db74be4613a3c195a45adf6f17a5df6ed1a2fc4923cafbf349f053f9c8fbebce356503df4270e8ba94f621ae9931e550185dc44d26b8
-
C:\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
e2f1b31cc8c64668a1d4711c750876ab
SHA11dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c
SHA25692244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359
SHA512bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
e2f1b31cc8c64668a1d4711c750876ab
SHA11dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c
SHA25692244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359
SHA512bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
4fad87e905527200767b4d75a67475a2
SHA13c6ed14acd0e3500e1a732891db335c14160f94a
SHA256873574405be6ca9e0c85ec516a1736c9a85ffe6f185f7113102763fe52fbd767
SHA51214e3ea68ea1a8fc1966c3cd416fb9275f8b7b34cfaec5a29a5e2c1d95439a2a03a11d4071b05aa6264c263d0459be4cd00a42853ae8a4fc9729580000c725d84
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
4fad87e905527200767b4d75a67475a2
SHA13c6ed14acd0e3500e1a732891db335c14160f94a
SHA256873574405be6ca9e0c85ec516a1736c9a85ffe6f185f7113102763fe52fbd767
SHA51214e3ea68ea1a8fc1966c3cd416fb9275f8b7b34cfaec5a29a5e2c1d95439a2a03a11d4071b05aa6264c263d0459be4cd00a42853ae8a4fc9729580000c725d84
-
C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exeMD5
68886f96b3223730b1e228f42aecc5cf
SHA135ccef06783fcc868c1de8fd444580394038c15c
SHA2564be474229fe8b4ca351b87683e5377ccdc48b0b18c4c14b9063ffb49b7cb5e74
SHA512a3b083bdb1e7ecf3ae6311e6f9ee6fa3a1c7026c3b979a77fd9814a821d2a1c403952102525fab395abdd51469c3b54114e6a9103e695e03785d769c7a27669c
-
C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exeMD5
68886f96b3223730b1e228f42aecc5cf
SHA135ccef06783fcc868c1de8fd444580394038c15c
SHA2564be474229fe8b4ca351b87683e5377ccdc48b0b18c4c14b9063ffb49b7cb5e74
SHA512a3b083bdb1e7ecf3ae6311e6f9ee6fa3a1c7026c3b979a77fd9814a821d2a1c403952102525fab395abdd51469c3b54114e6a9103e695e03785d769c7a27669c
-
C:\Users\Admin\AppData\Local\Temp\bhxbbxeyjxvm.vbsMD5
69c3f3ec0ab3cc367fd03e9145cf8505
SHA1275d0e92d788d4e394674bb5e054a04fa8640eb2
SHA2565bc893b2005c18bc06077d59771959e8c19b988545558c0a83d316d40cfa1a20
SHA512fca3076e4838fce48e078c45b8ff23b046b8e6d7266864e64e54e934f4fb6b3e581fc04439864adbc16acd01f67edd6c69669b4f436f18a8eb9187c240df8180
-
C:\Users\Admin\AppData\Local\Temp\hwwpfwqkkkk.vbsMD5
fe96591d3e854de7786a32a224508255
SHA18a55e91fd59b661c3a8944e157a2791892aa4d69
SHA2565dfe2abb54138904a47019d8f9eeb11c25e5759957f484756e05439bd67632e3
SHA512fd39966ea53ccd3570140e05bfd1f7546f854195f65129ee727f6991cbb2947d2f355165b088d7f9f1e326dd7169f17c263d1d966d688efadd5ea46ae0319d29
-
C:\Users\Admin\AppData\Local\Temp\mybrpmu.exeMD5
beaf0a675545d76f6393f0e92656639b
SHA1d7444795cfdedc9ae3381b60e6bbe91bd8a470e1
SHA256d4f252125ce1b59def2ae9a8bed16302c4c4c13f54eb41217ef189cccce06a72
SHA51278f0c8b52d4afdc2d559c7e996621b9e7b7f0a25ecc1342e548e4b5c97a8ef45956435331842fb3cf4c64877e5ec49d0b821374f0d781f0d85a0abd0fe0c04e1
-
C:\Users\Admin\AppData\Local\Temp\mybrpmu.exeMD5
beaf0a675545d76f6393f0e92656639b
SHA1d7444795cfdedc9ae3381b60e6bbe91bd8a470e1
SHA256d4f252125ce1b59def2ae9a8bed16302c4c4c13f54eb41217ef189cccce06a72
SHA51278f0c8b52d4afdc2d559c7e996621b9e7b7f0a25ecc1342e548e4b5c97a8ef45956435331842fb3cf4c64877e5ec49d0b821374f0d781f0d85a0abd0fe0c04e1
-
C:\Users\Admin\AppData\Local\Temp\tmp61A4.tmp.ps1MD5
7d8f29a0463f89453c01bb0209734676
SHA113dbb6d0b3407cb7ca4487f70d8abced041bb05b
SHA2564a6b7a0d692600b1020b1f85ff1cdd27b2cfa17932596161e5750896a5fffa5d
SHA51293ec08997b7c638072e40ea6871276e8ff9c67017d0d8047d60ef01ede278a8733dd3a8488b548ac0b1933d4c0e0c6c425201bf88dfe41f45f13a78dc89c55a6
-
C:\Users\Admin\AppData\Local\Temp\tmp61A5.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
e2f1b31cc8c64668a1d4711c750876ab
SHA11dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c
SHA25692244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359
SHA512bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
e2f1b31cc8c64668a1d4711c750876ab
SHA11dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c
SHA25692244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359
SHA512bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb
-
\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
\Users\Admin\AppData\Local\Temp\nsg3E09.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/204-167-0x0000000000000000-mapping.dmp
-
memory/204-173-0x00000000051F0000-0x0000000006486000-memory.dmpFilesize
18.6MB
-
memory/756-120-0x0000000000000000-mapping.dmp
-
memory/764-126-0x0000000000000000-mapping.dmp
-
memory/1416-134-0x0000000000000000-mapping.dmp
-
memory/1792-147-0x0000000000000000-mapping.dmp
-
memory/1792-156-0x0000000001000000-0x00000000010FF000-memory.dmpFilesize
1020KB
-
memory/1792-157-0x0000000000400000-0x0000000000970000-memory.dmpFilesize
5.4MB
-
memory/2804-204-0x0000000000000000-mapping.dmp
-
memory/2864-142-0x00000000001C0000-0x00000000001E6000-memory.dmpFilesize
152KB
-
memory/2864-122-0x0000000000000000-mapping.dmp
-
memory/2864-143-0x0000000000400000-0x000000000089E000-memory.dmpFilesize
4.6MB
-
memory/2884-158-0x0000000000BB0000-0x0000000000D0C000-memory.dmpFilesize
1.4MB
-
memory/2884-170-0x0000000004800000-0x0000000005A96000-memory.dmpFilesize
18.6MB
-
memory/2884-152-0x0000000000000000-mapping.dmp
-
memory/2956-132-0x0000000000000000-mapping.dmp
-
memory/2956-159-0x0000000000000000-mapping.dmp
-
memory/3352-129-0x0000000000000000-mapping.dmp
-
memory/3356-128-0x0000000000000000-mapping.dmp
-
memory/3400-150-0x0000000000000000-mapping.dmp
-
memory/3612-181-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/3612-188-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/3612-203-0x00000000043C3000-0x00000000043C4000-memory.dmpFilesize
4KB
-
memory/3612-178-0x0000000000000000-mapping.dmp
-
memory/3612-200-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB
-
memory/3612-182-0x0000000006E20000-0x0000000006E21000-memory.dmpFilesize
4KB
-
memory/3612-183-0x0000000007450000-0x0000000007451000-memory.dmpFilesize
4KB
-
memory/3612-184-0x00000000074F0000-0x00000000074F1000-memory.dmpFilesize
4KB
-
memory/3612-185-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/3612-186-0x00000000043C0000-0x00000000043C1000-memory.dmpFilesize
4KB
-
memory/3612-187-0x00000000043C2000-0x00000000043C3000-memory.dmpFilesize
4KB
-
memory/3612-199-0x0000000008BF0000-0x0000000008BF1000-memory.dmpFilesize
4KB
-
memory/3612-189-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/3612-190-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/3612-191-0x0000000007E50000-0x0000000007E51000-memory.dmpFilesize
4KB
-
memory/3612-198-0x0000000009660000-0x0000000009661000-memory.dmpFilesize
4KB
-
memory/3612-193-0x0000000007F20000-0x0000000007F21000-memory.dmpFilesize
4KB
-
memory/3712-144-0x0000000000400000-0x000000000089E000-memory.dmpFilesize
4.6MB
-
memory/3712-138-0x0000000000000000-mapping.dmp
-
memory/3784-136-0x0000000000000000-mapping.dmp
-
memory/3784-146-0x0000000001600000-0x000000000174A000-memory.dmpFilesize
1.3MB
-
memory/3884-116-0x0000000000000000-mapping.dmp
-
memory/3980-114-0x0000000000BF0000-0x0000000000CC1000-memory.dmpFilesize
836KB
-
memory/3980-115-0x0000000000400000-0x0000000000908000-memory.dmpFilesize
5.0MB