621b28440d4dc9ea07cf3a81589b36edc971232d40a03569cfef5f4e2293d321

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e876c02af84b153315d9328d032cbf.exe
Size

1.0MB
MD5

66e876c02af84b153315d9328d032cbf
SHA1

796bdd4a6789d2bbd1f70f26f3ff7dbfc11770f8
SHA256

621b28440d4dc9ea07cf3a81589b36edc971232d40a03569cfef5f4e2293d321
SHA512

9dabbe12c8fef6a6822ee93891bbe51800047c2563a177562ffd203a0da7bbc858af6395a3cc2730ae7f43cac8d3d3c8c5408a9a2c307fe317a21e3b16f8f1e0
SSDEEP

24576:zLgk1ZgKHLy5k33Pra5mlVrk4l6Bsfi9gE721wCc8xQuMdIFtWatp:Pp1ZgKHWwjy+B6yfi+Ey1/bxmdop

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	2252	WScript.exe
11	2252	WScript.exe
13	2252	WScript.exe
16	2252	WScript.exe
18	2252	WScript.exe
20	2252	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	qoit.exe

Executes dropped EXE 5 IoCs

pid	Process
1388	qoit.exe
3008	retook.exe
2804	All.exe.com
2436	All.exe.com
2512	SmartClock.exe

Loads dropped DLL 17 IoCs

pid	Process
1908	66e876c02af84b153315d9328d032cbf.exe
1908	66e876c02af84b153315d9328d032cbf.exe
1908	66e876c02af84b153315d9328d032cbf.exe
1908	66e876c02af84b153315d9328d032cbf.exe
1388	qoit.exe
1388	qoit.exe
1388	qoit.exe
3008	retook.exe
3008	retook.exe
1388	qoit.exe
2592	cmd.exe
2804	All.exe.com
1388	qoit.exe
1388	qoit.exe
2512	SmartClock.exe
2512	SmartClock.exe
2512	SmartClock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	retook.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\foler\olader\acledit.dll	66e876c02af84b153315d9328d032cbf.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	66e876c02af84b153315d9328d032cbf.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	66e876c02af84b153315d9328d032cbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	All.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	All.exe.com

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2548	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2512	SmartClock.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2804	All.exe.com
2804	All.exe.com
2804	All.exe.com
2436	All.exe.com
2436	All.exe.com
2436	All.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2804	All.exe.com
2804	All.exe.com
2804	All.exe.com
2436	All.exe.com
2436	All.exe.com
2436	All.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 1388	1908	66e876c02af84b153315d9328d032cbf.exe	28
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 1908 wrote to memory of 3008	1908	66e876c02af84b153315d9328d032cbf.exe	38
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2584	3008	retook.exe	29
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 3008 wrote to memory of 2648	3008	retook.exe	37
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2648 wrote to memory of 2592	2648	cmd.exe	32
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2444	2592	cmd.exe	31
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2804	2592	cmd.exe	36
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2592 wrote to memory of 2548	2592	cmd.exe	35
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 2804 wrote to memory of 2436	2804	All.exe.com	34
PID 1388 wrote to memory of 2512	1388	qoit.exe	33

C:\Users\Admin\AppData\Local\Temp\66e876c02af84b153315d9328d032cbf.exe
"C:\Users\Admin\AppData\Local\Temp\66e876c02af84b153315d9328d032cbf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\ventil\qoit.exe
  "C:\Users\Admin\AppData\Local\Temp\ventil\qoit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    PID:2512
- C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe
  "C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3008

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
1⤵
PID:2584

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^yNmEqrPOypxBlVnuFemmfzGnSPBDoxoqgOjuQxEteLTSbEtnlUplDSaMuqLlBkGLqxjvJsflnxbEmOwhKrzgkYbccmZQIzCQyoReaIOSFYMocOhaZnAnSameXQqpsn$" Bel.wbk
1⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\PING.EXE
  ping SCFGBRBT
  2⤵
  - Runs ping.exe
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
  All.exe.com g
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com g
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\knvjtuqojjjf.vbs"
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Molta.wbk
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
369d25c2c18b72d7e1a26a01d2bc55e2

SHA1
5531c864dd2408f36b5d330f34f9a6c494505f5f

SHA256
59076b83868777385bb4df683062003422a28a552d423ac8a92a638c9105a02f

SHA512
406add276ec8800e39d53a399a611dad04938bac1c8eabc5f71b4cf055f1f98600937d88295e6053f4e72ed2deef865795470ece1c5f103c64d49dc645044da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
91545b467bd80f9629e69cd42bdfd6e9

SHA1
222d1e54aabf3ae0df63845099d7421067756dbb

SHA256
62ea9edf44f7441fbb0b21c97c9094da7d609c553b7ba96430935f83556a1609

SHA512
d89e9e08b619c72e8b7e28989a4e19bb66fb9ab9e2d4c7c5b441be81573b21960dfe9106e331fbe9060977178f510b7ffb29f4ed5af1c4975541dbbbdd4ee1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D37.tmp

Filesize
313B

MD5
bee55e52500f967c3d9402e05dd57f65

SHA1
d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

SHA256
b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

SHA512
b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com

Filesize
63KB

MD5
d565e0cb669174f54c5483f229cf7992

SHA1
236de9583c68a3c09ba0693d27fe76fe32fea1cf

SHA256
7f72db7c682ce83c1e162c63ab1d5f8db5cd396a11fcab23245d2ddc1056366b

SHA512
d22693ba4f32accbd5cb8f855835320fde1f020d38656b2964bf8de30bc41b1705313e2856354b490b19e8b2359cbef1df2dd6a92dde3d3a7cf8db813016d042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com

Filesize
432KB

MD5
9bc915dae9b135e9f224e83d86259bf4

SHA1
9c8487a15f12dbb7341986b7a9b81e8e4d92bede

SHA256
f94f6770bc9242d5876a3acdde5711b511d2d0d5f511f58510d42cc7de71a5fc

SHA512
46688931176c6066eef1c2c6819381b35a8a78b4d8144394fd933591d7d9f2c2dc206f1d7be7c4fbc9b5fec4caa05e200b605ed59f434166c517cce0a55eb4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com

Filesize
76KB

MD5
a3d2fa66fedea523a88c6ac43b36a356

SHA1
5c74bcf07a966e9c151c5dd49eba55ac11b2c7b2

SHA256
d7f348d77ad48cf94b52620f8b6c9e2a9d71069a97544887ba27d70657041302

SHA512
1abdd849cd32719a6888ec55576d40ac8da88756fd382fc8752721fd7d3053040390d3886cf8de0fb281cc6df10e99d92b5c80012583b6d1ea8b3df6356ca077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.wbk

Filesize
329KB

MD5
eb3791a5fd8fc264f2fe2e2775938b1a

SHA1
9e850f64f23537f9a6a1fece6ae567d69e593b1a

SHA256
c3f206361d440836c7f4721bfed56a7f4648601761870f5e59a487a33842c53e

SHA512
1172479fa1a6609eb4504fe2a970dd7c5b5432bdc2bd822b90bdf35201e0369309b4899d996fa04d30c7469eedf3b4f34e0c7e1623e30d2494cd3590df23dba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Molta.wbk

Filesize
466B

MD5
5c8a283903791aa4630e516bade66942

SHA1
757539d1ff447dd52394504342ac4362b68d3196

SHA256
fea27f988519d41f6dd26187176a859f471ec4ea2c2441d8e1dfc614535cece1

SHA512
95b990630d6568259b0102a6ae7b654a43eee84388a2122556841a02e5a420ec3d625d296682511ca864efae89e620733a0ce1464f8d361baa4391b291044f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.wbk

Filesize
77KB

MD5
e35f9e9b42d0c5e783b5d9a6977345a6

SHA1
d42a06235e9b76d3849bcf95dd4c3b73a7931b73

SHA256
9a4bc85b0e38a5841c97699be9cc0059889ca6978232334e6bc7bbbe0c343a08

SHA512
cfc5bea165143320f6c10cabb22f1feb3ccea72e8bb2e8e2400c30b75bbd2edefd700282f511837a20e59b73dd2c20a9f216fd51273de85817f8765eeba02985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g

Filesize
52KB

MD5
a23ef8eeb903309a4dbc36922c37c77e

SHA1
612558efcd1f1d61049e087228e01f27529eed4d

SHA256
0f84c282aad5e1bb78bc52b2b3e453edb6b8fe31fb7dc6c149e7970b836d32cf

SHA512
5375b2d168a7b2cca62524f0b215b04f0b6b5c1dcfd7d1df0887798362bcb15bd7e44bc8f2ebe9d28136f70a6feb470a2db854a5620073b799d234d008edab65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar70A3.tmp

Filesize
33KB

MD5
df0ca22f7cbab7766cfd91cac66d3f3e

SHA1
989ad124bde0cc05b4b9e7b7f3f88c8601cc187d

SHA256
bbb68d2de7e4adb056f6acf04e5db9cfaddce8d707ab825740fae05af73313c3

SHA512
637b689d457204648b33677ee1132255a3663cc5fab8a1b36fd0f76f96b4ca2ae6ef27b709c5095702dca224b0637a1bd7f2ee85b2d89e524d1bcc26e4044a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\knvjtuqojjjf.vbs

Filesize
133B

MD5
23730736e3932efbfce6ae7c683f4606

SHA1
96598e7043f5f292504e425358bb8826afbb4cce

SHA256
9faed7da6ba4270f2e6ebad84b478f91886cd4a052d5e569ea32398d2d41bac4

SHA512
1d77fd9e152d8f82b07bd4b3be06e1382e3f524b0d051a0054c63d4be281d41400f198831c544299909851c105b7dabbb16763061e0ed55dff1d2939f6673c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventil\qoit.exe

Filesize
177KB

MD5
87eacd45c75e8bc5a35ed0b2fd1c6d4d

SHA1
abcc79f4a053277fe211207d296c654412e7a6ac

SHA256
047941fdb8c7e47fa361bae357937f1a457ddd392d1427579a0ad453b4c7c6a1

SHA512
cb8698b8b9b2e79617354c02bbaaa3d950c1eb4ec55de2f7c498007ee41afb0e5e36ac4fe9c0b673f24f35d506a0bafbc61d166a7564b1f7da8c393368456997

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe

Filesize
169KB

MD5
0e70046da1aa06c6d68ed0d278e9905a

SHA1
2e5c1b154a886d0e8f3b550205bce6824f52d30b

SHA256
025f5be267feb5458d4f3029b644f39bb906c5992dc59aaee1cbc58c37dee514

SHA512
7cb387a4d2414624faa73174351951c3b8fbc93e03f217bc9156428f632465f9e3cd8655d23e2d4258c176be0e3b2da588377cfb3b9eb3a4b78ccb25a894e843

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe

Filesize
249KB

MD5
ac04be5fef53ecc1e2212bd9c2849f71

SHA1
d390a31c94a23be78e3046a7f2d2e83fe1aa5cfc

SHA256
ecf5e1ce72770479a2e8cad2330b36cc01bb7c39480a41d3046d5d91994ebe6b

SHA512
6ef802eb03dd44987192ea8db42e75e08abb4907c2eb4e66316b509cf20313a69718eea2cbfc4f67e2101f2f7d641dee131ddb4d20ab1b4f3457b9487f020055

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
16KB

MD5
9a1d5bbc3f6b730eb44b59bb3c9cff24

SHA1
7ae504dba3924159d2b14254feda60fa5abd5b92

SHA256
a1c3b4532bea4d264448fa0c5ba4a8c1e5458646a44c197b66bb2c8700fe40a4

SHA512
d83bac2f5d0c2b738098bb044eebd63f1a4a76bbca5209bc13616cde919aada9bc921d2120fe0f144332bca1e9c64e9fed945335c4420639c44d25b425454fc9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com

Filesize
87KB

MD5
82d6f361e1fa60b54d7ae56641f9bb81

SHA1
ac7645dd0d313a48aa81f8860f0c0c981bf794fc

SHA256
2f9aaec8da0965050292495632dea8c49902d9113b482bcc47fa61d70d59f568

SHA512
f19e976ad138e3c0d207131d386f5b9868145adaef629c8b2cbc719f40b37260fc86b5f39649cb71ba14414f854e2eff295045c19c8cfe8167749c130cb53f1f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com

Filesize
289KB

MD5
35faf106a23a667ccf43674b1b9f1d27

SHA1
9bf4e2a7ab434662ebb63a990df22fbf357df6bc

SHA256
eb4d27fa640bd959d5807e09d05b18929c260f28a49cfb85c721ca7bea27e0f1

SHA512
b43a8893e0dad9cefc2279124181b009d30d72388f6f373a50719b69b8d180a1297b8047a2bdd7f0ae567b21206f9dd94d62cad996ece74576c7ad1f0be6e6d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEC1.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\ventil\qoit.exe

Filesize
136KB

MD5
a84b17a10d9fc6904944f8746e2c9b3d

SHA1
1e4ec82832da29d49f50ff38cdd163b25fcb8226

SHA256
7feabf0174b5a2d4b1801bbd196237d646249818bb4529276936c2916621b392

SHA512
7f0d7f5b75573fe2ac6910b25168c69363c3962c7d787c3069e25f8003b7318d2f70a6f378384286e0a9033b7b0fbd10de553e4c4119d70cd695d32e1bb75a95

Download Submit
\Users\Admin\AppData\Local\Temp\ventil\qoit.exe

Filesize
173KB

MD5
58caaaf9f90c578658adc881d8ea4f4f

SHA1
9a22f0cdae5a8a6b5b70e317dd3d1214642555b1

SHA256
712b381077a72c67a8d8d9c0b2df98a6d744eb93035e06bd2fe0d0ef099989c1

SHA512
31e4858de24e54f3d1255c8399b6bf0011c958f192d1c32e46f024cf3f8040d053a156920ad3df83f6cff01f32b9e7190d4e0eb9247a1a651d4b016358e4c416

Download Submit
\Users\Admin\AppData\Local\Temp\ventil\qoit.exe

Filesize
197KB

MD5
4a5f97f2d4ba48afb818f4cf45815c7d

SHA1
eea689be8c284615b6a5e68627963392f93f508a

SHA256
086489a8a319c510fcd611d9d5adf08b5b42f977424f6740e968ad33085bfe68

SHA512
b51d93f3925abc7dbfa36f63b1103c9035f2f0e85e7d5ec6817c9b12702d92dd39d26e0a6ec545c4f8bfe4c7c2465e48d62372a725d96d17130d737dcc8f2c05

Download Submit
\Users\Admin\AppData\Local\Temp\ventil\retook.exe

Filesize
459KB

MD5
cbb9e6936464f4d1ea571d5250878c77

SHA1
0dc6f819d9c9bf0a9bca68d1b7bb8a4fe5bc84eb

SHA256
732dd95caba3283c24b6ca8a9eaa7eab7dfe6433d75bde18708202aaaba60819

SHA512
15f4b33076391fad0436fa5c2e9b4ff8827f10180f5abaf04a7164e2ce3aa94aea1f7d0aa0a0f8dde9155e76a2b1ad1793a60d655342ccf7a82af95a4663e433

Download Submit
\Users\Admin\AppData\Local\Temp\ventil\retook.exe

Filesize
204KB

MD5
35d3786edff83d7fc109af8cba2ff6d5

SHA1
bf34569e157f84697872b762f4624bebe3422d81

SHA256
d3776affd8523b91b4502ddc98175134deb826e23094d213fad8831227b7ce33

SHA512
25b017051492f09096d71edc88df16bbc89c436fdf1927e20e032259b2941f0bcc190e9e7590052b6a5f741a3b9b63439bc12ab768f7701ab2096e4e18ce36cc

Download Submit
\Users\Admin\AppData\Local\Temp\ventil\retook.exe

Filesize
146KB

MD5
c5526867baa831c1653e5d22bbb125e7

SHA1
f330e0e71de51bbab8b77e56c3c286ca3d253264

SHA256
dbdcae3a1914e1010aaa36d4d58942cf67050e25141e80d40c904787be7b60fc

SHA512
b18fee606ae6ccddfb03d3027eb178031cfc0e6145a77875682cab8135e07eb335a3f13a9f45b75742d2f34363a1de78c68db8c115d7b107f23059fa1b72a8e6

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
96KB

MD5
ead45e6ddb3c5185e31a7337f0c921f1

SHA1
12a2978510e3bb34fff64fa801fe68235e1d0ab3

SHA256
6b74ff6de7c4cd6e3e9157e66560de83eb159dd699f427bd9ee79fa2d0b4a424

SHA512
89586c80b63154978ae331b8d7e705503c223b35a08e499d93321bd82d8ce8b26534622ea9274c4d857328f0aff3ff903cc62d4c46eb637ad5402f74a1ef186f

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
34KB

MD5
22547365ac1eb54c930d4d0b042dff70

SHA1
d8f73ae4c726167a895ca6acb69c9af1018e2602

SHA256
ff435100801ba4a69ceb78129f32a7111fc331e87486bf5851805bd63a72b8ca

SHA512
5c81ac4256bf2da1a9ad178051f7ca5a6d668f228c3797fee1bece5d8c63e17989c0f472be62182879fded6370457c0543bd28e32c8525763b4d3e6c13fc955a

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
87KB

MD5
647cb097e7b39d6a8193ebe1067e2347

SHA1
9e8615a1b780659274179f1d8971488a148a35d0

SHA256
12c8955390afe68dc16d3c0a50c438cf93f9f11ae5d615f31af37d216246ac65

SHA512
fbe51c431400809b86284c15a61e6f1f2c2196a59aa784ae793164b8447f397ff08366d224497f924867f7684a58568b9395bc130e69a0e92c859c925ef0c911

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
56KB

MD5
2763eea3f52df1bf72e18a6f68f803c1

SHA1
cde88aacb625a01e123c531d854c7dfdcbac7da3

SHA256
63ea4696b779b518381a5aa0a5ba0f659fee48381d649835ce054a98dbe93364

SHA512
ca3a3b3f93cab2daf9d35e7ebbef897c4de00bdd2319703b38bbb12f5c649d3d62f514058909816dfdec40c38743a7cc2e73c44bb97eb544917ab801c395501b

Download Submit
memory/1388-68-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/1388-37-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/1388-58-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/1388-38-0x0000000000250000-0x0000000000276000-memory.dmp

Filesize
152KB

Download
memory/2436-77-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-78-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-83-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-84-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-80-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-81-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-98-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-82-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2436-79-0x0000000003C20000-0x0000000003C47000-memory.dmp

Filesize
156KB

Download
memory/2512-102-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2512-76-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/2512-75-0x00000000001F0000-0x0000000000216000-memory.dmp

Filesize
152KB

Download
memory/2512-74-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads