e4b73e23cf600d4fee331e7300d86a8faa1a945751ad8646792d76cfe9bb4f37

Analysis

max time kernel
53s
max time network
56s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/12/2022, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

edrawmax.exe
Size

76.7MB
MD5

424ae6a1cbc78cb0f81380eaf75f6a00
SHA1

33772dd3170ff5ee4f2be1cd9eee82836aceb594
SHA256

e4b73e23cf600d4fee331e7300d86a8faa1a945751ad8646792d76cfe9bb4f37
SHA512

5704d24286df84c06b6c492fa256f28ef0a9d4d2a339c13566bbde3c2950b1e33e11e40471cd7c7f57d4453d32959ba2b2d97b46ef2098be691d14d3e55e8f6e
SSDEEP

1572864:XCm67nYuItrprOEQOoEXJi6SJENV7qz7xZPZt2K2liIVObDBgeZxx3VQQoNv58sz:mnRIrIErEuVcFjt2d1wnBgI1VQQoNvOu

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	edrawmax.tmp

Loads dropped DLL 14 IoCs

pid	Process
2036	edrawmax.exe
2004	edrawmax.tmp
2004	edrawmax.tmp
2004	edrawmax.tmp
2004	edrawmax.tmp
2004	edrawmax.tmp
2004	edrawmax.tmp
2004	edrawmax.tmp
2004	edrawmax.tmp
1504	regsvr32.exe
1504	regsvr32.exe
1504	regsvr32.exe
1504	regsvr32.exe
1768	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Edraw Max\library\Chart\is-M3DRE.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Project\is-N7TNI.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Forms\is-HLMQG.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-RU32O.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\is-EF73S.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\images\is-0BCFM.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-N9EMG.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-K6OH4.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-DTC8Q.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\is-VHFGH.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Basic Diagram\is-BMRH8.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\form\is-BV9D3.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\texture\is-HK8F3.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Cisco\is-INHOJ.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-SDJM5.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-SLPGM.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-QHKQ5.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-6IEDA.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-G2LUQ.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Project\is-E3KH0.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\is-JJDQK.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Orgchart\is-D6ROF.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\texture\is-S60M1.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Clip Art\is-MRS15.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\thum\is-3ATPI.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Chart\is-8K04D.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Gallery\images\charts\is-F87VJ.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Network\is-R49SH.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Flowchart\is-IRA0C.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Presentation\is-05QHT.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Gallery\images\charts\is-FDPRT.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Engineering\is-EAECN.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-JLS37.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Organizational Chart\is-AR4P4.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Gallery\images\building\is-61F8N.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Gallery\images\businesscard\is-DCPHO.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Gallery\images\wireframe\is-87K7I.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-IKSEU.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-1R9K1.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\is-DBT66.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Charts and Graphics\is-81SJC.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\is-PUJM1.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Flowchart\is-DCSU8.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Project\is-ACSU0.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\thum\is-UKJLF.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\thum\is-OL72N.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\texture\is-LFCHU.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\config\is-1ECOK.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\config\ExpMediate\PX\Layouts\is-0JOH9.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business Card\is-M6BNA.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Flowchart\is-A3IH8.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\texture\is-RIAI5.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\is-F7NDL.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-M0L33.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-T5JAK.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Business\is-46GL4.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Flowchart\is-MJ91V.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\samples\Edraw Examples\Flyer\is-FIJUD.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-NUIJH.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\thum\is-4G755.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\texture\is-N7CPP.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\texture\is-BHI5R.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\help\ContextHelp\images\is-KL5KE.tmp	edrawmax.tmp
File created	C:\Program Files (x86)\Edraw Max\library\Network\is-E43TH.tmp	edrawmax.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.edxz\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25F8C791-611D-4FC6-90C2-70ADCFF27933}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2C7BF21-1D78-4A51-A987-7DC0804F781D}\8.0\ = "EDOffice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29333722-2C7F-4E5F-A2DD-DD3C4AE97345}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.Document\Insertable\	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29333722-2C7F-4E5F-A2DD-DD3C4AE97345}\ = "Extractor Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2C7BF21-1D78-4A51-A987-7DC0804F781D}\8.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E5C1EF4-4909-4ECB-A468-5DED35C6A7BD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Edraw Max\\officeviewer.ocx, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.Document\ = "Edraw.Document"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A83CFCB-EEDE-4621-8722-8FA0234BBBCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.XMLDocument\shell	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\AuxUserType\3\ = "Edraw"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThumbThumbView.Extractor.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.eddx	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\Printable\	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25F8C791-611D-4FC6-90C2-70ADCFF27933}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\Version\ = "8.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\DefaultIcon\ = "C:\\Program Files (x86)\\Edraw Max\\Edraw.exe"	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.Document\DefaultIcon\ = "C:\\Program Files (x86)\\Edraw Max\\Edraw.exe,3"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{25F8C791-611D-4FC6-90C2-70ADCFF27933}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EDOFFICE.EDOfficeCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.eddx\shellNew	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\AuxUserType\2	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\LocalServer32\ = "C:\\Program Files (x86)\\Edraw Max\\Edraw.exe"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThumbThumbView.Extractor\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eddx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{29333722-2C7F-4E5F-A2DD-DD3C4AE97345}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E5C1EF4-4909-4ECB-A468-5DED35C6A7BD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eddx\shellNew\NullFile	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\Insertable	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\DefaultExtension\ = "eddx"	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29333722-2C7F-4E5F-A2DD-DD3C4AE97345}\InprocServer32\ = "C:\\Program Files (x86)\\Edraw Max\\ThumbView.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EDOFFICE.EDOfficeCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\ = "EDOffice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\DefaultIcon	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\Printable\	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\verb\0	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\ProgId\ = "Edraw.Document"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29333722-2C7F-4E5F-A2DD-DD3C4AE97345}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29333722-2C7F-4E5F-A2DD-DD3C4AE97345}\ProgID\ = "ThumbThumbView.Extractor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2C7BF21-1D78-4A51-A987-7DC0804F781D}\8.0\0\win32\ = "C:\\Program Files (x86)\\Edraw Max\\officeviewer.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\DocObject\ = "0"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThumbThumbView.Extractor\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.edx\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\DefaultExtension	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E5C1EF4-4909-4ECB-A468-5DED35C6A7BD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A83CFCB-EEDE-4621-8722-8FA0234BBBCC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\verb	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.XMLDocument\ = "Edraw XML Document"	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\ProgId\ = "Edraw.Document"	edrawmax.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\MiscStatus\ = "32"	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4596A5-2170-4148-94FF-B4C3C8C76665}\TypeLib\ = "{E2C7BF21-1D78-4A51-A987-7DC0804F781D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eddx\shellNew\	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E5C1EF4-4909-4ECB-A468-5DED35C6A7BD}\ = "_DEDOffice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Edraw.Document\DefaultIcon	edrawmax.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B1AE10D8-2050-42E0-991B-B1584E7AE514}\Printable	edrawmax.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	edrawmax.tmp
2004	edrawmax.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2004	edrawmax.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2036 wrote to memory of 2004	2036	edrawmax.exe	28
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1504	2004	edrawmax.tmp	29
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30
PID 2004 wrote to memory of 1768	2004	edrawmax.tmp	30

C:\Users\Admin\AppData\Local\Temp\edrawmax.exe
"C:\Users\Admin\AppData\Local\Temp\edrawmax.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\is-EBRDO.tmp\edrawmax.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EBRDO.tmp\edrawmax.tmp" /SL5="$70124,79961065,129536,C:\Users\Admin\AppData\Local\Temp\edrawmax.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Edraw Max\ThumbView.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1504
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Edraw Max\officeviewer.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Edraw Max\MSVCP100.dll

Filesize
411KB

MD5
32e390954b2c6b1583a969ed0e7c8a9d

SHA1
fb1dccbabd587a12508127abff7b3c8bf6c2bb1a

SHA256
bcb4e8143322025f1b4c66e75dbfff0495338b617c103b0ac14299d5badd4185

SHA512
5c4a01e867d2f358c15ccb7aa78a2384237ad9dae83602f8eea388941b11e85ecefcc21040f439da3f21ac1916c75377c55693df86251d30d1bed3726d21f557

Download Submit
C:\Program Files (x86)\Edraw Max\MSVCR100.dll

Filesize
750KB

MD5
2b92a88e329f4845d31941967a3baa90

SHA1
bbf341e7ed9947de0b5d84d93ca0bc4c8beb5500

SHA256
649a7ab8e3b5c0940812e40eafc8f004979bb48bfc8f4bc7db9f2cbcdd715344

SHA512
b94862e3f516402317a5467c6e0ff3dd23a967d90dae87dec1687157e43978c2d73c24fee71b4febeada54bb433ea4fcd16568d02fde1c4f9f50f6d7ba02408a

Download Submit
C:\Program Files (x86)\Edraw Max\ThumbView.dll

Filesize
140KB

MD5
b2fe932bcd8b2edbecb2f8812a7acc78

SHA1
cec3b1af6fd98a963437c652352d22f60f069a09

SHA256
a66c2d2f100b7777e5cec636a1845ef48fb8df8143e22c68791c5e18125d0234

SHA512
26a69981489d9db741e24c6c532a1d04f1e87d82540a71fc3e195fa587894eb759d32a04d9bc886e790b2f1a4be50477c2d4c5a9317068022c733123693e9be2

Download Submit
C:\Program Files (x86)\Edraw Max\mfc100u.dll

Filesize
4.2MB

MD5
c67a6fa10a94746c5f65c656646ae216

SHA1
80fc21ed06ad06d3c0d8c15e52bfd03376b35e9d

SHA256
abeb2d80384af1b1a5fae7fc21c3f6ead04cceb01d34a4255a14a194dd4ccfe2

SHA512
1155ec3c59f30e0b826010dda38330cbed44b270b735eff44fcd782553bfc11dc8fc284657743414b74f92f07d3eb788d390ac516291cc3e03b2bd83dacb5217

Download Submit
C:\Program Files (x86)\Edraw Max\officeviewer.ocx

Filesize
2.1MB

MD5
0d8e2e800914f489a70eb50704d4def7

SHA1
75191d3f4779a867c6717f5bd0052d2d986f3d70

SHA256
ecbfd6e6bbc26850a617bc0ba6bb6de09d12121e36d137e508b5983d9a852d6e

SHA512
c6acb103610c4131fba4a15261d9261f37e3c88621d6474c40e239f4fa3845994e1cf0d00b65d23a20b352cc0c220f59a4167f8d86846bc4315a68c81deb5a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EBRDO.tmp\edrawmax.tmp

Filesize
1.1MB

MD5
9ffcdcabde63d087ecc8368add047c18

SHA1
4f050e05dea58e22f8ce966483a330ab68fc2893

SHA256
430db47c54d1bd4aa944f533fb78a545e257d6dcfeab8da0ec9c2d50bf0577ea

SHA512
b0838fe22da39dd2b47fa5c8ebadb36be5ff121750f8bb66e45e51e130a103acbed375537fbb51b9bf0456a504e9a6fb678802e24e98ffe4166a3ad12d61d07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EBRDO.tmp\edrawmax.tmp

Filesize
1.1MB

MD5
9ffcdcabde63d087ecc8368add047c18

SHA1
4f050e05dea58e22f8ce966483a330ab68fc2893

SHA256
430db47c54d1bd4aa944f533fb78a545e257d6dcfeab8da0ec9c2d50bf0577ea

SHA512
b0838fe22da39dd2b47fa5c8ebadb36be5ff121750f8bb66e45e51e130a103acbed375537fbb51b9bf0456a504e9a6fb678802e24e98ffe4166a3ad12d61d07d

Download Submit
\Program Files (x86)\Edraw Max\Edraw.exe

Filesize
5.6MB

MD5
f5cd0973fe299ee638d38f8dab7dc33a

SHA1
204aaf7a21666a809c9f54e20e0ca076fc93406a

SHA256
c3531dc825c4b0ff87693ad729456b2f6dbbdad08287e7b532817f743765f54c

SHA512
b860e52044f8412e1c4f2a55b4040f8f0ae8964c9c392dfb07c9cc0469881e227e3f4faab57b38017ab6beb34c4fd93827be294c09b1fe6c67e8cbad2b301e26

Download Submit
\Program Files (x86)\Edraw Max\ThumbView.dll

Filesize
140KB

MD5
b2fe932bcd8b2edbecb2f8812a7acc78

SHA1
cec3b1af6fd98a963437c652352d22f60f069a09

SHA256
a66c2d2f100b7777e5cec636a1845ef48fb8df8143e22c68791c5e18125d0234

SHA512
26a69981489d9db741e24c6c532a1d04f1e87d82540a71fc3e195fa587894eb759d32a04d9bc886e790b2f1a4be50477c2d4c5a9317068022c733123693e9be2

Download Submit
\Program Files (x86)\Edraw Max\ThumbView.dll

Filesize
140KB

MD5
b2fe932bcd8b2edbecb2f8812a7acc78

SHA1
cec3b1af6fd98a963437c652352d22f60f069a09

SHA256
a66c2d2f100b7777e5cec636a1845ef48fb8df8143e22c68791c5e18125d0234

SHA512
26a69981489d9db741e24c6c532a1d04f1e87d82540a71fc3e195fa587894eb759d32a04d9bc886e790b2f1a4be50477c2d4c5a9317068022c733123693e9be2

Download Submit
\Program Files (x86)\Edraw Max\ThumbView.dll

Filesize
140KB

MD5
b2fe932bcd8b2edbecb2f8812a7acc78

SHA1
cec3b1af6fd98a963437c652352d22f60f069a09

SHA256
a66c2d2f100b7777e5cec636a1845ef48fb8df8143e22c68791c5e18125d0234

SHA512
26a69981489d9db741e24c6c532a1d04f1e87d82540a71fc3e195fa587894eb759d32a04d9bc886e790b2f1a4be50477c2d4c5a9317068022c733123693e9be2

Download Submit
\Program Files (x86)\Edraw Max\mfc100u.dll

Filesize
4.2MB

MD5
c67a6fa10a94746c5f65c656646ae216

SHA1
80fc21ed06ad06d3c0d8c15e52bfd03376b35e9d

SHA256
abeb2d80384af1b1a5fae7fc21c3f6ead04cceb01d34a4255a14a194dd4ccfe2

SHA512
1155ec3c59f30e0b826010dda38330cbed44b270b735eff44fcd782553bfc11dc8fc284657743414b74f92f07d3eb788d390ac516291cc3e03b2bd83dacb5217

Download Submit
\Program Files (x86)\Edraw Max\msvcp100.dll

Filesize
411KB

MD5
32e390954b2c6b1583a969ed0e7c8a9d

SHA1
fb1dccbabd587a12508127abff7b3c8bf6c2bb1a

SHA256
bcb4e8143322025f1b4c66e75dbfff0495338b617c103b0ac14299d5badd4185

SHA512
5c4a01e867d2f358c15ccb7aa78a2384237ad9dae83602f8eea388941b11e85ecefcc21040f439da3f21ac1916c75377c55693df86251d30d1bed3726d21f557

Download Submit
\Program Files (x86)\Edraw Max\msvcr100.dll

Filesize
750KB

MD5
2b92a88e329f4845d31941967a3baa90

SHA1
bbf341e7ed9947de0b5d84d93ca0bc4c8beb5500

SHA256
649a7ab8e3b5c0940812e40eafc8f004979bb48bfc8f4bc7db9f2cbcdd715344

SHA512
b94862e3f516402317a5467c6e0ff3dd23a967d90dae87dec1687157e43978c2d73c24fee71b4febeada54bb433ea4fcd16568d02fde1c4f9f50f6d7ba02408a

Download Submit
\Program Files (x86)\Edraw Max\officeviewer.ocx

Filesize
2.1MB

MD5
0d8e2e800914f489a70eb50704d4def7

SHA1
75191d3f4779a867c6717f5bd0052d2d986f3d70

SHA256
ecbfd6e6bbc26850a617bc0ba6bb6de09d12121e36d137e508b5983d9a852d6e

SHA512
c6acb103610c4131fba4a15261d9261f37e3c88621d6474c40e239f4fa3845994e1cf0d00b65d23a20b352cc0c220f59a4167f8d86846bc4315a68c81deb5a33

Download Submit
\Program Files (x86)\Edraw Max\officeviewer.ocx

Filesize
2.1MB

MD5
0d8e2e800914f489a70eb50704d4def7

SHA1
75191d3f4779a867c6717f5bd0052d2d986f3d70

SHA256
ecbfd6e6bbc26850a617bc0ba6bb6de09d12121e36d137e508b5983d9a852d6e

SHA512
c6acb103610c4131fba4a15261d9261f37e3c88621d6474c40e239f4fa3845994e1cf0d00b65d23a20b352cc0c220f59a4167f8d86846bc4315a68c81deb5a33

Download Submit
\Program Files (x86)\Edraw Max\officeviewer.ocx

Filesize
2.1MB

MD5
0d8e2e800914f489a70eb50704d4def7

SHA1
75191d3f4779a867c6717f5bd0052d2d986f3d70

SHA256
ecbfd6e6bbc26850a617bc0ba6bb6de09d12121e36d137e508b5983d9a852d6e

SHA512
c6acb103610c4131fba4a15261d9261f37e3c88621d6474c40e239f4fa3845994e1cf0d00b65d23a20b352cc0c220f59a4167f8d86846bc4315a68c81deb5a33

Download Submit
\Program Files (x86)\Edraw Max\unins000.exe

Filesize
1.1MB

MD5
61db29c3153410aac8287216d841f76d

SHA1
ea503bd2b347fd8bfed3ea3c507dd0fef6a0de80

SHA256
3245485df4f2dffe76234de12ef86f74cc5b5dd466140e45d6352e788ea3964a

SHA512
1fc0cf6a4e35af580fc8479b0dcf7d3743d8b20231fdebd9727420d8c87c23bb3875b96947e43ecd1042f0e2a5601b62b3e01929d69a246387a4ebe63519e735

Download Submit
\Users\Admin\AppData\Local\Temp\is-EBRDO.tmp\edrawmax.tmp

Filesize
1.1MB

MD5
9ffcdcabde63d087ecc8368add047c18

SHA1
4f050e05dea58e22f8ce966483a330ab68fc2893

SHA256
430db47c54d1bd4aa944f533fb78a545e257d6dcfeab8da0ec9c2d50bf0577ea

SHA512
b0838fe22da39dd2b47fa5c8ebadb36be5ff121750f8bb66e45e51e130a103acbed375537fbb51b9bf0456a504e9a6fb678802e24e98ffe4166a3ad12d61d07d

Download Submit
\Users\Admin\AppData\Local\Temp\is-KV0MF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KV0MF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2004-64-0x0000000074C31000-0x0000000074C33000-memory.dmp

Filesize
8KB

Download
memory/2036-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2036-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2036-86-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download