Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-07-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
lv (1).exe
Resource
win7v20210410
General
-
Target
lv (1).exe
-
Size
1.4MB
-
MD5
1ca90b66b79df8576c3d35bfad0f33fa
-
SHA1
17291f5b80496efc656a489c340d8856eec27ee3
-
SHA256
5ae829af19623394beedd713e57223f23f48463195eb3ff0251be90d5a18f9f9
-
SHA512
9b9d171fac852ed1b52a20f09df0d8d7c8dc0d7e2e170028ddf531d552421e43150884e11b32725785c1f4cc6bbae3f17aead2a7ab3296d0bccd2b28c20cbae9
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 31 4404 WScript.exe 33 4404 WScript.exe 35 4404 WScript.exe 37 4404 WScript.exe 40 4364 rundll32.exe 41 4520 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
vpn.exe4.exeViscere.exe.comSmartClock.exeViscere.exe.comqhnwbsfwvbx.exepid process 1852 vpn.exe 1952 4.exe 3604 Viscere.exe.com 2356 SmartClock.exe 3232 Viscere.exe.com 4284 qhnwbsfwvbx.exe -
Drops startup file 1 IoCs
Processes:
4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 3 IoCs
Processes:
lv (1).exerundll32.exeRUNDLL32.EXEpid process 3224 lv (1).exe 4364 rundll32.exe 4520 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
rundll32.exelv (1).exedescription ioc process File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe File created C:\Program Files (x86)\foler\olader\acppage.dll lv (1).exe File created C:\Program Files (x86)\foler\olader\adprovider.dll lv (1).exe File created C:\Program Files (x86)\foler\olader\acledit.dll lv (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEViscere.exe.comdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Viscere.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Viscere.exe.com Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE -
Modifies registry class 1 IoCs
Processes:
Viscere.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Viscere.exe.com -
Processes:
WScript.exeRUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2762A5433B6F9394D002EE197C88599DCDBE6AC9 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2762A5433B6F9394D002EE197C88599DCDBE6AC9\Blob = 0300000001000000140000002762a5433b6f9394d002ee197c88599dcdbe6ac920000000010000007d02000030820279308201e2a00302010202087abb9dc3297e8b5d300d06092a864886f70d01010b050030623121301f06035504030c1844693067694365727420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139303732353138303834325a170d3233303732343138303834325a30623121301f06035504030c1844693067694365727420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100e1c8ddd61166d0ccab669b4331410688cb30d1b4b5dc6bc428ca7853ba6d2235449c5719b47cf6a2d0f77d146528475d65d37b3e751c9ab19ca314dee9de402021a7129ec70b9c40407137c7cbb0def962a95864f026514446ad89d309a65093525bee598b6575d43d4ad286789a0d88ece60c66832bbb7127092aee29a60ca90203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a821844693067694365727420476c6f62616c20526f6f74204732300d06092a864886f70d01010b050003818100cfa17e542cab475178b7780f524a73445997b18016a0a07fdc804df6a07063c246b4164f49c5d93231dc8efe52dd7cfd983aca6903b4b4ae94a69968bedb85f659c236a0592ed3da575a8debb3ec38a56ca955bbdf7aec46419bc397e27683464795ef43f964538af03f2cdd8c8f17ad78234a99279bd24bc7528e04249cc10b RUNDLL32.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 2356 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 4520 RUNDLL32.EXE 4520 RUNDLL32.EXE 4520 RUNDLL32.EXE 4520 RUNDLL32.EXE 4520 RUNDLL32.EXE 4520 RUNDLL32.EXE 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 4520 RUNDLL32.EXE 4520 RUNDLL32.EXE 4936 powershell.exe 4936 powershell.exe 4936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4520 RUNDLL32.EXE Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 4520 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
lv (1).exevpn.execmd.execmd.exe4.exeViscere.exe.comViscere.exe.comqhnwbsfwvbx.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3224 wrote to memory of 1852 3224 lv (1).exe vpn.exe PID 3224 wrote to memory of 1852 3224 lv (1).exe vpn.exe PID 3224 wrote to memory of 1852 3224 lv (1).exe vpn.exe PID 3224 wrote to memory of 1952 3224 lv (1).exe 4.exe PID 3224 wrote to memory of 1952 3224 lv (1).exe 4.exe PID 3224 wrote to memory of 1952 3224 lv (1).exe 4.exe PID 1852 wrote to memory of 528 1852 vpn.exe cmd.exe PID 1852 wrote to memory of 528 1852 vpn.exe cmd.exe PID 1852 wrote to memory of 528 1852 vpn.exe cmd.exe PID 528 wrote to memory of 3404 528 cmd.exe cmd.exe PID 528 wrote to memory of 3404 528 cmd.exe cmd.exe PID 528 wrote to memory of 3404 528 cmd.exe cmd.exe PID 3404 wrote to memory of 3360 3404 cmd.exe findstr.exe PID 3404 wrote to memory of 3360 3404 cmd.exe findstr.exe PID 3404 wrote to memory of 3360 3404 cmd.exe findstr.exe PID 3404 wrote to memory of 3604 3404 cmd.exe Viscere.exe.com PID 3404 wrote to memory of 3604 3404 cmd.exe Viscere.exe.com PID 3404 wrote to memory of 3604 3404 cmd.exe Viscere.exe.com PID 3404 wrote to memory of 4060 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 4060 3404 cmd.exe PING.EXE PID 3404 wrote to memory of 4060 3404 cmd.exe PING.EXE PID 1952 wrote to memory of 2356 1952 4.exe SmartClock.exe PID 1952 wrote to memory of 2356 1952 4.exe SmartClock.exe PID 1952 wrote to memory of 2356 1952 4.exe SmartClock.exe PID 3604 wrote to memory of 3232 3604 Viscere.exe.com Viscere.exe.com PID 3604 wrote to memory of 3232 3604 Viscere.exe.com Viscere.exe.com PID 3604 wrote to memory of 3232 3604 Viscere.exe.com Viscere.exe.com PID 3232 wrote to memory of 4284 3232 Viscere.exe.com qhnwbsfwvbx.exe PID 3232 wrote to memory of 4284 3232 Viscere.exe.com qhnwbsfwvbx.exe PID 3232 wrote to memory of 4284 3232 Viscere.exe.com qhnwbsfwvbx.exe PID 3232 wrote to memory of 4316 3232 Viscere.exe.com WScript.exe PID 3232 wrote to memory of 4316 3232 Viscere.exe.com WScript.exe PID 3232 wrote to memory of 4316 3232 Viscere.exe.com WScript.exe PID 4284 wrote to memory of 4364 4284 qhnwbsfwvbx.exe rundll32.exe PID 4284 wrote to memory of 4364 4284 qhnwbsfwvbx.exe rundll32.exe PID 4284 wrote to memory of 4364 4284 qhnwbsfwvbx.exe rundll32.exe PID 3232 wrote to memory of 4404 3232 Viscere.exe.com WScript.exe PID 3232 wrote to memory of 4404 3232 Viscere.exe.com WScript.exe PID 3232 wrote to memory of 4404 3232 Viscere.exe.com WScript.exe PID 4364 wrote to memory of 4520 4364 rundll32.exe RUNDLL32.EXE PID 4364 wrote to memory of 4520 4364 rundll32.exe RUNDLL32.EXE PID 4364 wrote to memory of 4520 4364 rundll32.exe RUNDLL32.EXE PID 4520 wrote to memory of 4644 4520 RUNDLL32.EXE powershell.exe PID 4520 wrote to memory of 4644 4520 RUNDLL32.EXE powershell.exe PID 4520 wrote to memory of 4644 4520 RUNDLL32.EXE powershell.exe PID 4520 wrote to memory of 4936 4520 RUNDLL32.EXE powershell.exe PID 4520 wrote to memory of 4936 4520 RUNDLL32.EXE powershell.exe PID 4520 wrote to memory of 4936 4520 RUNDLL32.EXE powershell.exe PID 4936 wrote to memory of 4128 4936 powershell.exe nslookup.exe PID 4936 wrote to memory of 4128 4936 powershell.exe nslookup.exe PID 4936 wrote to memory of 4128 4936 powershell.exe nslookup.exe PID 4520 wrote to memory of 4148 4520 RUNDLL32.EXE schtasks.exe PID 4520 wrote to memory of 4148 4520 RUNDLL32.EXE schtasks.exe PID 4520 wrote to memory of 4148 4520 RUNDLL32.EXE schtasks.exe PID 4520 wrote to memory of 4184 4520 RUNDLL32.EXE schtasks.exe PID 4520 wrote to memory of 4184 4520 RUNDLL32.EXE schtasks.exe PID 4520 wrote to memory of 4184 4520 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lv (1).exe"C:\Users\Admin\AppData\Local\Temp\lv (1).exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Neghi.avi3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ANQaarciHearBnDUfKcqmVFZJqIeIPPtXEvFeHAcDrnaOSAwUzpipHPEiQIsczmRjhyWwYRHpZbvbhkRmGogFIVfPSbjZoZlDGu$" Naso.avi5⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.comViscere.exe.com z5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.com z6⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exe"C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP,S C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.EXE8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMP,r1NcT284RA==9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD468.tmp.ps1"10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE5CF.tmp.ps1"10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask10⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sewqgfweyw.vbs"7⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fqvsstbismlv.vbs"7⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
0833f9a0205db3fe05ca1b4d98478762
SHA1c87138eb39028d249946be4fd905dbe8d5179dac
SHA25622c8adbf42e60eb2d30177bdd3067ae69673f1a76550c229e9295a0e42800033
SHA512c530c194ee966dbfeac9ad287b32d61d170b60201e9398c1aede887a503a2a963dea7b7324823f750b78280643c49b032dfedc5ad2c67eb6cd0e791a97e3839f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5590739c003a887a8a5c1f07904e2080
SHA18d9e5126ab51f71ed9587693a286ca8f6c865033
SHA256e0861b6ed7921e17118a20e41c53e24ed5877536e133437dae20b8a99d3f5510
SHA512df6f3d3048020bd58f16664258c472babb5af8f4b95e3dea1bb3c8e55aeab602c913bd4ac5007a2bb6a712ffc9c9ab9411deee89d0c6bf954965af78fe5353bd
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Convertira.aviMD5
c05a30b650ace2b4b72914543296700c
SHA154939a977b0c4484772b2ceaa7f665c3fbfa918b
SHA2568be982c5be3b9e3f4b7200425c32ceaf7cbc11c9a0751184a0110155f878bf93
SHA5124e94f07697729edc9f4a9a9567b92b2545905e2399131809cbd64b440e3831af0cd4c350540f035d31c0e0a81a29148b8d75c20e87360c5749daf325a676d94f
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Naso.aviMD5
a4a1a85e0674bbc7f9a1857c0eaee8fd
SHA1649f0c4701a792bcdf72a716642b74b43b1208b3
SHA256d7b6fd607898b2e7ce9811a25d853fe6321fc002bf557b36a07b4f35b0eff5e1
SHA5127d65487441e736c247e146ff1543bf4857349964938f1cc2777b82c980e468de32c4da95b56a8a925b1934121910eb90206ed666fcd8e04625c357be4c5b6c79
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.aviMD5
55c0d8f58f1fb8a46454dddcc48e3717
SHA18ff3a654f40693fc81f9af66640d7ef9a8e0a09b
SHA256453f4cb90e3855c5a878bd2ccc0a335cc057450185bd5e6210817a0ebf57a574
SHA5128760f57bff8f060caa8210f6004bdadd2550c5c5c3fa258c4436e63c9763610a925c523bf3f0450bf65ae6a231de8d3e25bd3b9cf9d9ba0dc18271b0362ff8ac
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pulsare.aviMD5
70c58e6763625265378b34f8e2b06c42
SHA1466bbbee26771d8c683cb2627494186d6d3a6e3a
SHA256d0afabb8ea4157962940f102146b9cd73d925ef83df787fe1944af10134cb212
SHA512aefddb7a6fb1294727d38433d480abf2cbff4eedd6d357a8c5336069b29a0bfa8a902922a42ade0e196a83c2a045358bb7c5b225fb850a3b9f242284a6791f74
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viscere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\zMD5
c05a30b650ace2b4b72914543296700c
SHA154939a977b0c4484772b2ceaa7f665c3fbfa918b
SHA2568be982c5be3b9e3f4b7200425c32ceaf7cbc11c9a0751184a0110155f878bf93
SHA5124e94f07697729edc9f4a9a9567b92b2545905e2399131809cbd64b440e3831af0cd4c350540f035d31c0e0a81a29148b8d75c20e87360c5749daf325a676d94f
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
9c5699289a1a5a3cfbca9bbd4afd0c6c
SHA1bbd6d5e48c86b6f3461c9f7b286a0b310865093f
SHA256f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700
SHA512b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
9c5699289a1a5a3cfbca9bbd4afd0c6c
SHA1bbd6d5e48c86b6f3461c9f7b286a0b310865093f
SHA256f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700
SHA512b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
29b9e814ee33caf130223b113d874521
SHA102360054dcb01ff0f9d17d49e2352f158fb3b6be
SHA2565f1aab2b3cc81883ab4c0d8cbf4932be10833af04c182110c542b7cfc9a2254e
SHA5126778f368d082c69ed455af057d5d34164ce2a7449857f5b39ab78cb6658bcda55fd6da41a04df291b80076f8b37d0aa81d89f2dde2562a84016fcbabf610620a
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
29b9e814ee33caf130223b113d874521
SHA102360054dcb01ff0f9d17d49e2352f158fb3b6be
SHA2565f1aab2b3cc81883ab4c0d8cbf4932be10833af04c182110c542b7cfc9a2254e
SHA5126778f368d082c69ed455af057d5d34164ce2a7449857f5b39ab78cb6658bcda55fd6da41a04df291b80076f8b37d0aa81d89f2dde2562a84016fcbabf610620a
-
C:\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMPMD5
048c99a09fff8d58f078827119dfd652
SHA19d1dc7f2f4ab3a5273a21072c1121527d42de414
SHA256d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5
SHA512a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9
-
C:\Users\Admin\AppData\Local\Temp\fqvsstbismlv.vbsMD5
f07f4c339cd230b60932b12edd34dee3
SHA12724f4dbcdadc45353cdafcf170bb0e7c5c342d2
SHA2568b3c638a3ad5b622f52e8234d39f931296fa5969743ac598faca9837ded2e6b8
SHA51244aea3b41e2ff16616db4dcb2cba7695853c31af401e05886f7f5469e364382b39501763edd5dd504a7a29819ba4713b91470b406bf50bd07d1d77342641d697
-
C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exeMD5
cbaa6b69554effbf2b60f9829e50b717
SHA1d1ec7b45777d4e0e02cc4f32ba0cc08010044617
SHA256c203f54c9cb5f39279de31e42b4ecf80fea8005d77c03ff20b1cd7cccd0c0620
SHA5129528072fcfb843cc81d63818e2637937d220e35c3eaaee6ea90df003f0228eb44693cf5c91ef8255720bffeede5b8f83038a5f255b73057ec0708b8a5e0819e8
-
C:\Users\Admin\AppData\Local\Temp\qhnwbsfwvbx.exeMD5
cbaa6b69554effbf2b60f9829e50b717
SHA1d1ec7b45777d4e0e02cc4f32ba0cc08010044617
SHA256c203f54c9cb5f39279de31e42b4ecf80fea8005d77c03ff20b1cd7cccd0c0620
SHA5129528072fcfb843cc81d63818e2637937d220e35c3eaaee6ea90df003f0228eb44693cf5c91ef8255720bffeede5b8f83038a5f255b73057ec0708b8a5e0819e8
-
C:\Users\Admin\AppData\Local\Temp\sewqgfweyw.vbsMD5
e8057d9f1b87f5715f03cb148b3dc6e9
SHA14c2f6cc05c01655f98a672e512e8542f31712948
SHA256531ececc726cfd1eb86784a170fc860b68e04922a376406c6cfca8e3abe8dd3b
SHA512d8efebe977a5b9e12a55ea63a65c8e9ac4402b5b8904243c4cbc8cc0a4e9dce414bc9a77a90d7a628422db50e939cb66f87054aa001ed9afade0dac4b13c2f58
-
C:\Users\Admin\AppData\Local\Temp\tmpD468.tmp.ps1MD5
5caee8ba81c7d4072b1b32c2bd048014
SHA101b3a70187f42697a91ffc97e57ccd8ac5c02418
SHA2567d69e0dece805f9ed9bd09a1c85bbd40f63a2ab557b38b2ff3123d2e493862fb
SHA5125d0d248a775aa6a92abc42a91344b251eb3e076def4a9325d5ef8df3f7650c87be27c29221d6b42815289bd0382001ef4670ba1470f67c45562ae83e159dec48
-
C:\Users\Admin\AppData\Local\Temp\tmpD469.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmpE5CF.tmp.ps1MD5
04868a1dade761e7cfc7e47e852b2ab1
SHA1b8729a076496d18e45d9f2c6ab2252fba74100cb
SHA25659fa511860dd43d06ca8386a0fd4326fcf4636ebb36ff704ab1be4a0da7b5e02
SHA5121db562b91f17f1b62c7a94294fd18e687efabc312dbc91bc250e1be7bfca17f8e2471b0bf979abb8667a0275a8f3e098c4e08a21938abd3327d1669ada74b326
-
C:\Users\Admin\AppData\Local\Temp\tmpE5D0.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
9c5699289a1a5a3cfbca9bbd4afd0c6c
SHA1bbd6d5e48c86b6f3461c9f7b286a0b310865093f
SHA256f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700
SHA512b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
9c5699289a1a5a3cfbca9bbd4afd0c6c
SHA1bbd6d5e48c86b6f3461c9f7b286a0b310865093f
SHA256f3269e8fd2d5ac2487eaf31217814b8bbf3d33d3383b1d76dd594a2503fd1700
SHA512b4ff64e9f4b0f36387b72a067c94fdbd949fff4d346e1eb9ad138774b7711015b864c33f860832eb5ba77826a54daba48283f728487a0dd05cefed95980ee2be
-
\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMPMD5
048c99a09fff8d58f078827119dfd652
SHA19d1dc7f2f4ab3a5273a21072c1121527d42de414
SHA256d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5
SHA512a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9
-
\Users\Admin\AppData\Local\Temp\QHNWBS~1.TMPMD5
048c99a09fff8d58f078827119dfd652
SHA19d1dc7f2f4ab3a5273a21072c1121527d42de414
SHA256d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5
SHA512a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9
-
\Users\Admin\AppData\Local\Temp\nssEDB.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/528-121-0x0000000000000000-mapping.dmp
-
memory/1852-115-0x0000000000000000-mapping.dmp
-
memory/1952-131-0x0000000002CA0000-0x0000000002DEA000-memory.dmpFilesize
1.3MB
-
memory/1952-118-0x0000000000000000-mapping.dmp
-
memory/1952-132-0x0000000000400000-0x0000000002C91000-memory.dmpFilesize
40.6MB
-
memory/2356-140-0x0000000000400000-0x0000000002C91000-memory.dmpFilesize
40.6MB
-
memory/2356-139-0x00000000030E0000-0x0000000003106000-memory.dmpFilesize
152KB
-
memory/2356-133-0x0000000000000000-mapping.dmp
-
memory/3232-141-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/3232-136-0x0000000000000000-mapping.dmp
-
memory/3360-124-0x0000000000000000-mapping.dmp
-
memory/3404-123-0x0000000000000000-mapping.dmp
-
memory/3604-127-0x0000000000000000-mapping.dmp
-
memory/4060-130-0x0000000000000000-mapping.dmp
-
memory/4128-213-0x0000000000000000-mapping.dmp
-
memory/4148-216-0x0000000000000000-mapping.dmp
-
memory/4184-218-0x0000000000000000-mapping.dmp
-
memory/4284-152-0x0000000000400000-0x0000000000986000-memory.dmpFilesize
5.5MB
-
memory/4284-143-0x0000000000000000-mapping.dmp
-
memory/4284-151-0x00000000026E0000-0x00000000027DF000-memory.dmpFilesize
1020KB
-
memory/4316-146-0x0000000000000000-mapping.dmp
-
memory/4364-148-0x0000000000000000-mapping.dmp
-
memory/4364-160-0x0000000004FE0000-0x0000000006276000-memory.dmpFilesize
18.6MB
-
memory/4404-153-0x0000000000000000-mapping.dmp
-
memory/4520-163-0x0000000004B70000-0x0000000005E06000-memory.dmpFilesize
18.6MB
-
memory/4520-157-0x0000000000000000-mapping.dmp
-
memory/4644-174-0x0000000006FB2000-0x0000000006FB3000-memory.dmpFilesize
4KB
-
memory/4644-167-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4644-177-0x0000000008550000-0x0000000008551000-memory.dmpFilesize
4KB
-
memory/4644-164-0x0000000000000000-mapping.dmp
-
memory/4644-179-0x00000000085E0000-0x00000000085E1000-memory.dmpFilesize
4KB
-
memory/4644-184-0x0000000009C50000-0x0000000009C51000-memory.dmpFilesize
4KB
-
memory/4644-185-0x00000000091E0000-0x00000000091E1000-memory.dmpFilesize
4KB
-
memory/4644-186-0x0000000009280000-0x0000000009281000-memory.dmpFilesize
4KB
-
memory/4644-175-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/4644-189-0x0000000006FB3000-0x0000000006FB4000-memory.dmpFilesize
4KB
-
memory/4644-168-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/4644-176-0x0000000008450000-0x0000000008451000-memory.dmpFilesize
4KB
-
memory/4644-169-0x00000000073F0000-0x00000000073F1000-memory.dmpFilesize
4KB
-
memory/4644-173-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/4644-170-0x0000000007570000-0x0000000007571000-memory.dmpFilesize
4KB
-
memory/4644-171-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/4644-172-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/4936-204-0x00000000073D2000-0x00000000073D3000-memory.dmpFilesize
4KB
-
memory/4936-203-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/4936-202-0x0000000008800000-0x0000000008801000-memory.dmpFilesize
4KB
-
memory/4936-199-0x0000000008290000-0x0000000008291000-memory.dmpFilesize
4KB
-
memory/4936-217-0x00000000073D3000-0x00000000073D4000-memory.dmpFilesize
4KB
-
memory/4936-190-0x0000000000000000-mapping.dmp