b7725e5b69a81000ead012328348bd827fbf236682392c4a2b339c630ad36def

Analysis

max time kernel
78s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 16:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sigplus (2).exe
Size

3.2MB
MD5

b6df25c8096c3d433a200d04346df3be
SHA1

feb7167f6e522e12fa4509398fba3f6cf23a17ed
SHA256

be92521c1847134a6556e746805e54e077b1412d293f64aac8d1ec1fd285e6d8
SHA512

46f7af7d938ba1b7fecd9ec550110b476f8372fde90ff6c0e19b397529c52696584bbc43956cf3e4b15e214d3ce6d2f55ee03fcda380b65966db31ca80a6f8a5
SSDEEP

98304:H8r8RPG/YrpHCzapfddln5C73ZtHMnLo+p:cr8RO/YrpH8afddB5Cz36V

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB89B2.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SigPlus\~GLH0002.TMP	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\TopazLicense.txt	GLB89B2.tmp
File created	C:\Windows\SigPlus\~GLH0009.TMP	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\UNWISE.EXE	GLB89B2.tmp
File created	C:\Windows\~GLH000c.TMP	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus.ini	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\INSTALL.LOG	GLB89B2.tmp
File created	C:\Windows\SigPlus\~GLH0003.TMP	GLB89B2.tmp
File created	C:\Windows\SigPlus\temp.000	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\SigPlus.ocx	GLB89B2.tmp
File created	C:\Windows\SigPlus\~GLH000b.TMP	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\unregsigplus.exe	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\UNWISE.INI	GLB89B2.tmp
File created	C:\Windows\SigPlus\INSTALL.LOG	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\DemoOCX.exe	GLB89B2.tmp
File created	C:\Windows\SigPlus\~GLH0007.TMP	GLB89B2.tmp
File opened for modification	C:\Windows\SigPlus\SigSign.ocx	GLB89B2.tmp
File created	C:\Windows\SigPlus\~GLH000a.TMP	GLB89B2.tmp

Executes dropped EXE 4 IoCs

pid	Process
4220	GLB89B2.tmp
3984	GLJ8AFB.tmp
5060	GLJ8AFB.tmp
4148	DemoOCX.exe

Loads dropped DLL 8 IoCs

pid	Process
4220	GLB89B2.tmp
4220	GLB89B2.tmp
4220	GLB89B2.tmp
4220	GLB89B2.tmp
4220	GLB89B2.tmp
3984	GLJ8AFB.tmp
5060	GLJ8AFB.tmp
4148	DemoOCX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000079cd0cec77ace0110000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000079cd0cec0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff00000000070001000068090079cd0cec000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff00000000070001000068091979cd0cec000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000079cd0cec00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GLB89B2.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GLB89B2.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{69A40DA0-4D42-11D0-86B0-0000C025864A}\2.18\0\win32\ = "C:\\Windows\\SigPlus\\SigPlus.ocx"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A40DA2-4D42-11D0-86B0-0000C025864A}	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C20904-C3DA-11D1-B302-0000C090FF48}\ = "SigPlus Image Prop Page"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\Version	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E05A0EA1-C3CF-11D1-B302-0000C090FF48}	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA4-4D42-11D0-86B0-0000C025864A}\ = "SigPlus General Property Page"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6236153-7D18-11D3-A104-0000C033864A}\1.0\ = "SigSign ActiveX Control module"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6236154-7D18-11D3-A104-0000C033864A}\ = "_DSigSign"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\InprocServer32\ = "C:\\Windows\\SigPlus\\SigSign.ocx"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\TypeLib	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69A40DA2-4D42-11D0-86B0-0000C025864A}\ProxyStubClsid32	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69A40DA2-4D42-11D0-86B0-0000C025864A}\TypeLib\Version = "2.18"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA4-4D42-11D0-86B0-0000C025864A}\InprocServer32	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\InprocServer32\ = "C:\\Windows\\SigPlus\\SigPlus.ocx"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\Implemented Categories	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\MiscStatus\1\ = "132241"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{69A40DA0-4D42-11D0-86B0-0000C025864A}\2.18\FLAGS\ = "2"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{69A40DA0-4D42-11D0-86B0-0000C025864A}\2.18\0\win32	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C20904-C3DA-11D1-B302-0000C090FF48}\InprocServer32\ = "C:\\Windows\\SigPlus\\SigPlus.ocx"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C20901-C3DA-11D1-B302-0000C090FF48}\InprocServer32\ = "C:\\Windows\\SigPlus\\SigPlus.ocx"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6236155-7D18-11D3-A104-0000C033864A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6236155-7D18-11D3-A104-0000C033864A}\TypeLib\ = "{E6236153-7D18-11D3-A104-0000C033864A}"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\InprocServer32	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGPLUS.SigPlusCtrl.1\ = "SigPlus Control"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236157-7D18-11D3-A104-0000C033864A}\ = "SigSign Property Page"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\Control\	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{69A40DA0-4D42-11D0-86B0-0000C025864A}\2.18\HELPDIR	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A40DA1-4D42-11D0-86B0-0000C025864A}\TypeLib\ = "{69A40DA0-4D42-11D0-86B0-0000C025864A}"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A40DA2-4D42-11D0-86B0-0000C025864A}\TypeLib	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA4-4D42-11D0-86B0-0000C025864A}	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A40DA1-4D42-11D0-86B0-0000C025864A}	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGPLUS.SigPlusCtrl.1\CLSID	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6236153-7D18-11D3-A104-0000C033864A}\1.0\0\win32\ = "C:\\Windows\\SigPlus\\SigSign.ocx"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69A40DA2-4D42-11D0-86B0-0000C025864A}\TypeLib	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\ToolboxBitmap32	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\MiscStatus\1	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6236153-7D18-11D3-A104-0000C033864A}\1.0\0	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGSIGN.SigSignCtrl.1\ = "SigSign Control"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E05A0EA1-C3CF-11D1-B302-0000C090FF48}\InprocServer32	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGPLUS.SigPlusCtrl.1\CLSID\ = "{69A40DA3-4D42-11D0-86B0-0000C025864A}"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69A40DA3-4D42-11D0-86B0-0000C025864A}\TypeLib	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\ToolboxBitmap32\ = "C:\\Windows\\SigPlus\\SigSign.ocx, 1"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\TypeLib\ = "{E6236153-7D18-11D3-A104-0000C033864A}"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGSIGN.SigSignCtrl.1\Insertable\	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C20901-C3DA-11D1-B302-0000C090FF48}	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6236153-7D18-11D3-A104-0000C033864A}\1.0\0\win32	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6236154-7D18-11D3-A104-0000C033864A}\ = "_DSigSign"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGSIGN.SigSignCtrl.1	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\Control	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69A40DA2-4D42-11D0-86B0-0000C025864A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E05A0EA1-C3CF-11D1-B302-0000C090FF48}\ = "SigPlus Tablet Prop Page"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E6236153-7D18-11D3-A104-0000C033864A}\1.0\HELPDIR\ = "C:\\Windows\\SigPlus"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6236155-7D18-11D3-A104-0000C033864A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGSIGN.SigSignCtrl.1\CLSID\ = "{E6236156-7D18-11D3-A104-0000C033864A}"	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69A40DA1-4D42-11D0-86B0-0000C025864A}\TypeLib	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69A40DA1-4D42-11D0-86B0-0000C025864A}	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SIGPLUS.SigPlusCtrl.1	GLJ8AFB.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6236155-7D18-11D3-A104-0000C033864A}\TypeLib	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6236156-7D18-11D3-A104-0000C033864A}\InprocServer32\ThreadingModel = "Apartment"	GLJ8AFB.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40C20901-C3DA-11D1-B302-0000C090FF48}\ = "SigPlus DisplayProp Page"	GLJ8AFB.tmp

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	3324	vssvc.exe
Token: SeRestorePrivilege	3324	vssvc.exe
Token: SeAuditPrivilege	3324	vssvc.exe
Token: SeBackupPrivilege	796	srtasks.exe
Token: SeRestorePrivilege	796	srtasks.exe
Token: SeSecurityPrivilege	796	srtasks.exe
Token: SeTakeOwnershipPrivilege	796	srtasks.exe
Token: SeBackupPrivilege	796	srtasks.exe
Token: SeRestorePrivilege	796	srtasks.exe
Token: SeSecurityPrivilege	796	srtasks.exe
Token: SeTakeOwnershipPrivilege	796	srtasks.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4148	DemoOCX.exe
4148	DemoOCX.exe
4148	DemoOCX.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4220	4780	sigplus (2).exe	86
PID 4780 wrote to memory of 4220	4780	sigplus (2).exe	86
PID 4780 wrote to memory of 4220	4780	sigplus (2).exe	86
PID 4220 wrote to memory of 3984	4220	GLB89B2.tmp	99
PID 4220 wrote to memory of 3984	4220	GLB89B2.tmp	99
PID 4220 wrote to memory of 3984	4220	GLB89B2.tmp	99
PID 4220 wrote to memory of 5060	4220	GLB89B2.tmp	100
PID 4220 wrote to memory of 5060	4220	GLB89B2.tmp	100
PID 4220 wrote to memory of 5060	4220	GLB89B2.tmp	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sigplus (2).exe
"C:\Users\Admin\AppData\Local\Temp\sigplus (2).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\GLB89B2.tmp
  C:\Users\Admin\AppData\Local\Temp\GLB89B2.tmp 4736 C:\Users\Admin\AppData\Local\Temp\SIGPLU~1.EXE
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp
    "C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp" C:\Windows\SigPlus\SigSign.ocx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp
    "C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp" C:\Windows\SigPlus\SigPlus.ocx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:5060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SigPlus\DemoOCX.exe
"C:\Windows\SigPlus\DemoOCX.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLB89B2.tmp

Filesize
70KB

MD5
202b11ad0a4abac1e883f43bb7734fbe

SHA1
32d24949e368379d212880bd61a1394933db9282

SHA256
64e39b9b24c503d5a6a5519160d62cb35a86052cf70938c54f08c247c077d737

SHA512
c31eace91aa7aeb78dbaf21e979a2c3a823a76d564309f967771ea6900c5be494301735d3ca2bcdb40164751066e5d26bcd9eeff5ffdbe15ea343367fefb2385

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLB89B2.tmp

Filesize
70KB

MD5
202b11ad0a4abac1e883f43bb7734fbe

SHA1
32d24949e368379d212880bd61a1394933db9282

SHA256
64e39b9b24c503d5a6a5519160d62cb35a86052cf70938c54f08c247c077d737

SHA512
c31eace91aa7aeb78dbaf21e979a2c3a823a76d564309f967771ea6900c5be494301735d3ca2bcdb40164751066e5d26bcd9eeff5ffdbe15ea343367fefb2385

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC8ABB.tmp

Filesize
143KB

MD5
1f7ee3353eafec7c81cf39a849b1ae95

SHA1
f3d25db0114aa59158d8fedf9bb6881b6de7505e

SHA256
c88070dff47e09b823c819efbfd309146b2145ae7af21a31e21fdb33d51bd32f

SHA512
547366c5ac66ba3aa1864d1667c1cc1a511b18115435adff85466387773a08a510e4261ecdb1f8bf372b94a32752115a2956263c91be426fb951bac71631afe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFF0ED.tmp

Filesize
9KB

MD5
b9b41e50d612e00bf3a49a6405b89d74

SHA1
88063ee643c64f18fedda1890c717122634aedfd

SHA256
50e7a30e1825fab93b94b698c2c6d2cc1787b094c6cee53eeed5c497f77443c9

SHA512
b2486f526025095adc6767b5c2f85f80446db2b586e4dff376d74d44494f16d78a361dc944f3a10d8ad494b871a190e8c3f0e92eb27114be5d0b748e0da9c1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFF0ED.tmp

Filesize
9KB

MD5
b9b41e50d612e00bf3a49a6405b89d74

SHA1
88063ee643c64f18fedda1890c717122634aedfd

SHA256
50e7a30e1825fab93b94b698c2c6d2cc1787b094c6cee53eeed5c497f77443c9

SHA512
b2486f526025095adc6767b5c2f85f80446db2b586e4dff376d74d44494f16d78a361dc944f3a10d8ad494b871a190e8c3f0e92eb27114be5d0b748e0da9c1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFF0ED.tmp

Filesize
9KB

MD5
b9b41e50d612e00bf3a49a6405b89d74

SHA1
88063ee643c64f18fedda1890c717122634aedfd

SHA256
50e7a30e1825fab93b94b698c2c6d2cc1787b094c6cee53eeed5c497f77443c9

SHA512
b2486f526025095adc6767b5c2f85f80446db2b586e4dff376d74d44494f16d78a361dc944f3a10d8ad494b871a190e8c3f0e92eb27114be5d0b748e0da9c1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp

Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp

Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ8AFB.tmp

Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK8CF0.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK8CF0.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
C:\Windows\SigPlus.ini

Filesize
4KB

MD5
0f9163591a3a343ea3975b511f800910

SHA1
5d5aa0867fcbf84119cac8c38fb853f3829410ce

SHA256
1bcb7d3cc555b229b7d3181cf481d8410d1152454269075650469136acba52c7

SHA512
ebfc652c5eacba0703aa30962997978dda83f30ef8dfba79d7d1fcbfd9a3fa2d1798657ab02c645d8d1d9f4772a615f44c29e6334048aa4f54f4900f81c3fd6c

Download Submit
C:\Windows\SigPlus\DemoOCX.exe

Filesize
208KB

MD5
597775ac0b0fded1a4ebbb31a3d94748

SHA1
f664f57f890ac910089945133bd9e467518f50fc

SHA256
7e16ec9265e1dfd46dffffc88b13f88e2d0a58cdb748c296160d4e56bcbdddb6

SHA512
b8bfbe45c320e58ad8ad5b51866ada91a40225e333738347594ae06381ddef5f77e829bd57b898612d76f79302807a86292e8e20c16398362101953f32311746

Download Submit
C:\Windows\SigPlus\DemoOCX.exe

Filesize
208KB

MD5
597775ac0b0fded1a4ebbb31a3d94748

SHA1
f664f57f890ac910089945133bd9e467518f50fc

SHA256
7e16ec9265e1dfd46dffffc88b13f88e2d0a58cdb748c296160d4e56bcbdddb6

SHA512
b8bfbe45c320e58ad8ad5b51866ada91a40225e333738347594ae06381ddef5f77e829bd57b898612d76f79302807a86292e8e20c16398362101953f32311746

Download Submit
C:\Windows\SigPlus\SigPlus.ocx

Filesize
574KB

MD5
b69ec923f0f71c28ed91a9e93305e0c3

SHA1
a0d87b936d56df703d77453f141a4c7d5794e050

SHA256
574c33fc41057f5ef3e2ee38d9b32c9ed7adaf2bd7ca8837840940453205156a

SHA512
e6f5e84cd5e2c6d46c12d5425d6031dd830c334df722677b1e823772d99082f0b9439ec304203fc7b39aa0e9dc9cbd958f385cade8dcdf8670c2cc15e377d6dd

Download Submit
C:\Windows\SigPlus\SigPlus.ocx

Filesize
574KB

MD5
b69ec923f0f71c28ed91a9e93305e0c3

SHA1
a0d87b936d56df703d77453f141a4c7d5794e050

SHA256
574c33fc41057f5ef3e2ee38d9b32c9ed7adaf2bd7ca8837840940453205156a

SHA512
e6f5e84cd5e2c6d46c12d5425d6031dd830c334df722677b1e823772d99082f0b9439ec304203fc7b39aa0e9dc9cbd958f385cade8dcdf8670c2cc15e377d6dd

Download Submit
C:\Windows\SigPlus\SigPlus.ocx

Filesize
574KB

MD5
b69ec923f0f71c28ed91a9e93305e0c3

SHA1
a0d87b936d56df703d77453f141a4c7d5794e050

SHA256
574c33fc41057f5ef3e2ee38d9b32c9ed7adaf2bd7ca8837840940453205156a

SHA512
e6f5e84cd5e2c6d46c12d5425d6031dd830c334df722677b1e823772d99082f0b9439ec304203fc7b39aa0e9dc9cbd958f385cade8dcdf8670c2cc15e377d6dd

Download Submit
C:\Windows\SigPlus\SigSign.ocx

Filesize
55KB

MD5
4ff0e6d0403d99a46f8c7aea16654ee4

SHA1
0683de1e635bc3902521c022b2dd859d3e127015

SHA256
38aea6e5bb447e97fd89abf3969f3517c266b29dff9f50f9f25ca86aa924dc3c

SHA512
023dc1a535faf62efd1a765dc82f8e6668ed7327b1ce37143501559ecee9df899a507994db9903eb1a68050ea421dd839778d62a3eef5a03ea20d529e6811971

Download Submit
C:\Windows\SigPlus\SigSign.ocx

Filesize
55KB

MD5
4ff0e6d0403d99a46f8c7aea16654ee4

SHA1
0683de1e635bc3902521c022b2dd859d3e127015

SHA256
38aea6e5bb447e97fd89abf3969f3517c266b29dff9f50f9f25ca86aa924dc3c

SHA512
023dc1a535faf62efd1a765dc82f8e6668ed7327b1ce37143501559ecee9df899a507994db9903eb1a68050ea421dd839778d62a3eef5a03ea20d529e6811971

Download Submit
C:\Windows\SigPlus\~GLH0004.TMP

Filesize
208KB

MD5
597775ac0b0fded1a4ebbb31a3d94748

SHA1
f664f57f890ac910089945133bd9e467518f50fc

SHA256
7e16ec9265e1dfd46dffffc88b13f88e2d0a58cdb748c296160d4e56bcbdddb6

SHA512
b8bfbe45c320e58ad8ad5b51866ada91a40225e333738347594ae06381ddef5f77e829bd57b898612d76f79302807a86292e8e20c16398362101953f32311746

Download Submit
C:\Windows\SigPlus\~GLH0008.TMP

Filesize
20KB

MD5
865ac0eda56a449b9c0933868ed44e0a

SHA1
d36ae5282875e59dca4ff52454a24616c54a43f7

SHA256
3c39e79f47765833afcaa9e15d189927fdcb48c2fd90d88c0585a4b96294857a

SHA512
ab4c94dd7e1f69bf9e0c89fa407510abce27840708ea3bf1729ad63b4b712368d9695b78268c6d05552c3a85b24016c6c8bf2f4c05279e810769f56eeee09976

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads