8cdd2c3b7d96469112a4b739bb191ef6889c8f48d38c3a9f474026cb3ee0354a

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 13:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

72dcee5b3be1400e8b1573bd6d1e0add.exe
Size

1.2MB
MD5

72dcee5b3be1400e8b1573bd6d1e0add
SHA1

f5661b761a681d242480d2ebf8d54bfa95650253
SHA256

8cdd2c3b7d96469112a4b739bb191ef6889c8f48d38c3a9f474026cb3ee0354a
SHA512

5c18f1c1eb9e5255949682d4776a9b76bd88399b82687f20bd48382979895b2a1f76cf01c377ffc75ee669390fc1cd542e24d03e80687a0af5bbc790f1fc479e
SSDEEP

24576:HGh1Z8iyOGbjo8+IlZ3N8fqBua5wx7K2KhTPhFerC1rLuSUPmKKv:mh1Zi+IbeqBr5wBViFFe2rLuSUPmHv

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	2276	WScript.exe
11	2276	WScript.exe
13	2276	WScript.exe
16	2276	WScript.exe
18	2276	WScript.exe
20	2276	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

Executes dropped EXE 5 IoCs

pid	Process
1748	4.exe
1732	vpn.exe
2720	Mettermi.exe.com
2224	Mettermi.exe.com
2988	SmartClock.exe

Loads dropped DLL 17 IoCs

pid	Process
1900	72dcee5b3be1400e8b1573bd6d1e0add.exe
1900	72dcee5b3be1400e8b1573bd6d1e0add.exe
1900	72dcee5b3be1400e8b1573bd6d1e0add.exe
1900	72dcee5b3be1400e8b1573bd6d1e0add.exe
1748	4.exe
1748	4.exe
1748	4.exe
1732	vpn.exe
1732	vpn.exe
2588	cmd.exe
2720	Mettermi.exe.com
1748	4.exe
1748	4.exe
1748	4.exe
2988	SmartClock.exe
2988	SmartClock.exe
2988	SmartClock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vpn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	72dcee5b3be1400e8b1573bd6d1e0add.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	72dcee5b3be1400e8b1573bd6d1e0add.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	72dcee5b3be1400e8b1573bd6d1e0add.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Mettermi.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Mettermi.exe.com

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2484	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2988	SmartClock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1748	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	28
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1900 wrote to memory of 1732	1900	72dcee5b3be1400e8b1573bd6d1e0add.exe	29
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2680	1732	vpn.exe	38
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 1732 wrote to memory of 2612	1732	vpn.exe	31
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2612 wrote to memory of 2588	2612	cmd.exe	36
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2464	2588	cmd.exe	32
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2720	2588	cmd.exe	35
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2588 wrote to memory of 2484	2588	cmd.exe	33
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 2720 wrote to memory of 2224	2720	Mettermi.exe.com	34
PID 1748 wrote to memory of 2988	1748	4.exe	39

C:\Users\Admin\AppData\Local\Temp\72dcee5b3be1400e8b1573bd6d1e0add.exe
"C:\Users\Admin\AppData\Local\Temp\72dcee5b3be1400e8b1573bd6d1e0add.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
  "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
  "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Ricuperato.wp5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c vQGBA
    3⤵
    PID:2680

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^EnhDnNjlXrURXGTHBGcErTQGpvzbczMcOtOaPLgHqaCqUVAjimpGqkiKHHzezPPDdmeTSASQsNELsQLgVifVpyxCXrKia$" Cresciuto.wp5
1⤵
PID:2464

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
1⤵
- Runs ping.exe
PID:2484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mettermi.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mettermi.exe.com H
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wxarksjpawnu.vbs"
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:2276

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mettermi.exe.com
Mettermi.exe.com H
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
562dca473151f96b5bab6098a187e403

SHA1
e66b3f55a1e262a6958a1f4dc760c1630d291300

SHA256
73dfd761ffdc4ac11947d9fb88ab48964e295b9551902836842a9fec4277d5b5

SHA512
cce3f364fc735d2ef7d103a2f517c69af0090dd554d1e9cfad5d74028664545657f9e7396b5f5801cc334dc76ae8fc10e7f1fb298eb0de810ae3198f7359d3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
44cf0ff00758b3927f275812dc945b8a

SHA1
ee2cc8989633c2065923f3ceadf4f7ee2b83f5b8

SHA256
ba38b43d43abdaa5da21fd87457bf8649b536d671ba1964801711a69725abe95

SHA512
93304be6c65aa3e08d3094edf615274b19506c0930ec2f30710307cb867b9f3d03637b6a5991ea8f5e7f78100cae4d3c994bc3c324b08b6251e34a06f4e27f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\8038.tmp

Filesize
313B

MD5
bee55e52500f967c3d9402e05dd57f65

SHA1
d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

SHA256
b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

SHA512
b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cresciuto.wp5

Filesize
872KB

MD5
df5437e59260a6c202fe845c4d7f0029

SHA1
9ce58fb7fbe69b8e0bbd5a41f19c25c5c100cc0f

SHA256
73b58d79ab00c16c17f636a3e9397e62918c1f15c76238671e877218ab4ace23

SHA512
ab284ea9584f58cd6870e2fcdcce0c58cf181451b2b68d43ce6ef46f4b3261e0ded8e472b80092e3f29910ea86fbec31c6b45bf143875f3c61ba6c2bc434e3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\H

Filesize
719KB

MD5
fa3f08a73a22c093788a300992788687

SHA1
03b274b873e0573c9df82e3bb6e45b38a43002e3

SHA256
40a5369aa52fbabad9262ad9d8173a1042c2dc2633c8edc3ee8df51d8fdc9335

SHA512
f95fc9f5a915eba24b52f3aa1be8fd7935cdb761e13c4fb535ec2fc1e8d260d0321d4cbb07f2a978a6b5f5a6e2b94eef75f4eaf74ca91d8fc839a9616af36dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mettermi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pei.wp5

Filesize
139KB

MD5
fa1fc0b0f0c7fdb07fb95e8049f23bcb

SHA1
b5b68cdbcd20eebd2381b6e7877381c25837d4d3

SHA256
2b85de4a05f952148b32559ccc8421d1a8d961881fd8cf02cfb3880f86774418

SHA512
ac930549a7a17c4189d8b036fd31c3f150443cff7c67c13ce7b02dce3bc19d89a238d5baa6a8c703e1146991e76751d0c81b3c30fb37b0c639735d03fff380e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ricuperato.wp5

Filesize
453B

MD5
b76512e39b5dd555e126412b7a5d19d3

SHA1
fd40c9251b63d06012694d6e5d172f9333081ddc

SHA256
61b4fb06ad59ca9e6e5c9e9e7028f14d2c503fb931db731b6892d5a7b1db78fb

SHA512
b23c3999e40b5eec5e6f5e317962c91f02f32d011e41e7498261d27888a1db175deb19086fb570b9c73e58dd86af5667f0ce13f4bead8bf54b50600267ab275a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB698.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxarksjpawnu.vbs

Filesize
135B

MD5
6aa90f64cbaddcaebfac392c2d144755

SHA1
8c60d624ab763ecdd4e9a1966b5e47ffdaf4b27a

SHA256
3768acd3f94880cb3c51660e287b2e3266a41621ab111983907365068d622267

SHA512
3f877ae0a282bb721cef2f01c3179960e51cd14f1bf329153eda1c4a7f39ddbd5f8eb6d5a9eb2c2feceaa23ede1baee01efaa4d8e074a372cfa08ac6442377f2

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe

Filesize
281KB

MD5
591e85e8acca8cc0279b2ed1bf6a8748

SHA1
eb443def37bfffbf0f6d4bcac9f0b725f7cbe7d8

SHA256
581afcfed2363cb1a086e46b31821245893509ad0bea657359ce4f31a2edb356

SHA512
a0aa0aab6b3d160d7f75e9bb4e629bbd20b4e6b3d8dd3742cf02b721335e5d678183b6c3c1de14bd30c3aa7d75eb8a1558daf512b6ca019c8734ec07867fb41f

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

Filesize
1.0MB

MD5
bfd950bbabd1e5b3f57a23cd7c618788

SHA1
d943e0b6d1a7366ff5747cab6a12b645b41cf64a

SHA256
cf886c14de35ffa30003c15934a5d69ade52ee8632544d84bcee6a89d45d92cd

SHA512
9e4365c2ef5218aa081643dec76f80dc5ee898554f77e6d5d319002f3b7664be600685962328459affdd530cfbb7c804960080b6b8f31c771215b7b8d3a3ebc2

Download Submit
\Users\Admin\AppData\Local\Temp\nso144D.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1748-56-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1748-58-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1748-57-0x00000000004D0000-0x00000000004F6000-memory.dmp

Filesize
152KB

Download
memory/1748-71-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2224-80-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-86-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-87-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-84-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-102-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-85-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-83-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-82-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2224-81-0x0000000004040000-0x0000000004067000-memory.dmp

Filesize
156KB

Download
memory/2988-93-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2988-77-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2988-78-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads