Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 03:37
Behavioral task
behavioral1
Sample
ad967292a0b22c3289b6e7e58f45b439.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad967292a0b22c3289b6e7e58f45b439.exe
Resource
win10v2004-20240226-en
General
-
Target
ad967292a0b22c3289b6e7e58f45b439.exe
-
Size
388KB
-
MD5
ad967292a0b22c3289b6e7e58f45b439
-
SHA1
58777aed823b559adff0090a8595b5ce1d57fe1b
-
SHA256
dd7a328ba2cc59cf699efe1a83f45fb9da3837e7cb49e23312d9396e9536cca0
-
SHA512
8eba04c5fb6634ae7cff71b2757315e15930fdb9b43b1f48f2fba023969aaa28291c0dc4e4a0411367d4376dbaeb29660b2448f9e8c95ceb5eb1a5b18a8f711f
-
SSDEEP
6144:RcJNg4pnBwxLQ5ng945GYeunZAuJIVAbERCayvNoiCxy4xHhFmsdRVEbDC8yG:ioc2xU5ng90heunKA4RCay2PxykUy
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000e000000014605-2.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2512 JustZIPit.exe -
Loads dropped DLL 8 IoCs
pid Process 2212 ad967292a0b22c3289b6e7e58f45b439.exe 2212 ad967292a0b22c3289b6e7e58f45b439.exe 2512 JustZIPit.exe 2512 JustZIPit.exe 2512 JustZIPit.exe 2512 JustZIPit.exe 2512 JustZIPit.exe 2512 JustZIPit.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\JustZIPit_Email JustZIPit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8F403E1-D6B3-11EE-87F2-6A83D32C515E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e000000000200000000001066000000010000200000005f0f45052c2d175d062fb87adf1e1dd2d24798dd3f53e1759d1cac3ce543c541000000000e800000000200002000000020b279e2a3e3000b683eb6e8e7e09bf8033e02d89d3525bd7b5589e7d19e153590000000679a7aab6cead0f9ce914d10e56ef713fc7196bf4a0936119e674f397e1a3fcb1e7ec988a69e913eee6f4b80b8f187c7c101e178b7567405ba8eb8d67144a3fc5e5364f71b76c2eac81e503523dfaf43c23f1acdcc84997caee61631a9639f81e9a39518139ce7b21078c9a49867e9b8f9a420ac1081dc5c80ff38c82ebd691c59787e30dc93ee89a08c9cdfd879ecea40000000dea35a75fd301e79f032061f051ff9def322674da0f69de7965085a69fee39113e61b87758650ab4f3bc82603e96c318a36ed6cedeee15a18270f4b15db08ceb iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415339737" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0da62c0c06ada01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e00000000020000000000106600000001000020000000928e21069422775d84d4014bade3d840edd020b1189bf94bf30652b750f4dc04000000000e8000000002000020000000896902fa683a31029224cf5cad9f7873a993acab8947ad7285ea111a39cd239f20000000b0a0fdf9916f0af23535950e58e7fc0e09d409460c4c3a8dc534b309507c890a40000000f49de65a13d88f56b4e57e8288f32b22963921784621d3248d9f6abd83ba7ccefe933c3394ed34f0eff6935f324c6a6994e8a41ec4fd5a4d4e6f36c9735ac894 iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\JustZIPit_Email\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wab_auto_file\shell\JustZIPit_Email\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "JustZIPit_Archive" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SLK JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shtmlfile\Shell\JustZIPit_Email\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document\Shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Addin\Shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Outlook.File.msg.14\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\Shell JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\Shell JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JustZIPit_Archive\Shell\Open\ = "&JustUnZIPit" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shtmlfile JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hlpfile\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\Shell JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\JustZIPit_Email\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\Shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CSSfile\Shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\shell\JustZIPit_Email JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\JustZIPit_Email\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"-e\" \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CSSfile JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\Shell JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document\Shell\JustZIPit_Email\ = "JustZIPit - then &Email" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shtmlfile\Shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\Shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Outlook.File.eml.14\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\shell\JustZIPit\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\Shell\JustZIPit_Email\Command JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\JustZIPit\Command\ = "C:\\Users\\Admin\\Documents\\AvatarSoft\\JustZIPit\\JustZIPit.exe \"%1\"" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogg\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\Shell\JustZIPit_Email\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\Shell\JustZIPit JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogg JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder JustZIPit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\JustZIPit\ = "Just&ZIPit - Create a ZIP File" JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\Shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\Shell\JustZIPit\Command JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\shell\JustZIPit JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\JustZIPit_Email JustZIPit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8 JustZIPit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2468 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2468 iexplore.exe 2468 iexplore.exe 2236 IEXPLORE.EXE 2236 IEXPLORE.EXE 2236 IEXPLORE.EXE 2236 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2512 2212 ad967292a0b22c3289b6e7e58f45b439.exe 28 PID 2212 wrote to memory of 2512 2212 ad967292a0b22c3289b6e7e58f45b439.exe 28 PID 2212 wrote to memory of 2512 2212 ad967292a0b22c3289b6e7e58f45b439.exe 28 PID 2212 wrote to memory of 2512 2212 ad967292a0b22c3289b6e7e58f45b439.exe 28 PID 2512 wrote to memory of 2468 2512 JustZIPit.exe 30 PID 2512 wrote to memory of 2468 2512 JustZIPit.exe 30 PID 2512 wrote to memory of 2468 2512 JustZIPit.exe 30 PID 2512 wrote to memory of 2468 2512 JustZIPit.exe 30 PID 2468 wrote to memory of 2236 2468 iexplore.exe 32 PID 2468 wrote to memory of 2236 2468 iexplore.exe 32 PID 2468 wrote to memory of 2236 2468 iexplore.exe 32 PID 2468 wrote to memory of 2236 2468 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad967292a0b22c3289b6e7e58f45b439.exe"C:\Users\Admin\AppData\Local\Temp\ad967292a0b22c3289b6e7e58f45b439.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\Documents\AvatarSoft\JustZIPit\JustZIPit.exeC:\Users\Admin\Documents\AvatarSoft\JustZIPit\JustZIPit.exe -firstlaunch2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\JustZIPit\About.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2236
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD549f3195ee55b8c9654798ff9fd090de8
SHA1e1db0fca32835692036653944fbd9e1be03d88e5
SHA256858b615fb12f08869eb32f3fd0ed732cec279b84bf92aac3faf015b00393d838
SHA51275272621d18c4c8db05da23f6b6b6b1b7c9541203d09500379f24f7fa70e5900f9dc37796f28b8f553527d197a043e2d4c5b6e6eb7ba9a7768715ec6e157a185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59642e807a3b679c1d3ff8918e78ffd09
SHA11c92b31455fe22bfd2c023e9e62078df4a484c87
SHA2564cd8c0e87d8e6ccec9679c52004ce5328ec8774521d28ae02fc2d48170aeec0f
SHA51221f3b5b865afe03dcc09b4b916fac590026f58c30ac97909b18571d72157efaa16888b41a68ce2d64b353072115824c545f57acc9446b6f4c67fe925282c98ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57e28afb7a5bd4cf83b1bcbcf903066cc
SHA1a450045aa4bc7a72934e7185494abb5bbab73411
SHA256d07e679d11cfcb0105fb9663b36721c14e1e28eaccc39fc217316edf952426d5
SHA512a7202e6db43b15e1899ec4d1c1f5399b3dfe9b0651d653f3238b9a4d4d2f105f410a39f973970eeadaf217a752dca9091776f3f947187721d621a713e5f45078
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58416c00f97720764b2d6929e9a318eae
SHA1a453ddf18d2ad0dcb4d01a96a0e7b92ee8ccf8dc
SHA25614a4817bcc74a1ce15a37965fa77b4d9a6f3e469d820e6f6f0337a6a36d00c52
SHA512ac16e3352121f0bd66ca9e51a8980e98f30f0bfebc90361d74ad33593aea990d31305e52a09130c82921adbdf77bdfac6a3a1b11291fc8dcd6ed746c4313fe40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57a249185e041a92ccfb9ab849f01ae62
SHA18c01a8c799eefb0ea9318177049e35da87a83766
SHA25623c7fcb73f85b3f2346eda9a2a1093bb2ee9e52a59514650c1836dc587e13b3b
SHA512c8259d01d9c3291bbf32bd068fe4e35f773ca125c5da0c29ecec278a91d06f89d21d392bb528fa7a69519cbdff28ad03d385dfb4e17c9c4122961f47ec9d2919
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce702f7a9fa79607886316e70af5ff8c
SHA10aabac0c2f5ba467379bd9d52f0fbe6e23ea6d2d
SHA2564faf8e4ad20e46d64c69b9d1128492523bf95947b7b4515523210149ce7f4e68
SHA5127def9fdf3c22a24fed2636fe9e598fc3f5f8bb06e242ab5d2dd214bdcce80800f262206d49ccce0bc0ff85c4865e5cc1c74d167c51af6985860c9ea2777c6d21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD579deb8d543b61c4becc1343bd684ceb7
SHA1c58e7a15e69d463299be28012fb1f178f0324865
SHA25627e0e96f9ea17def6e70d5f7396c938fd9a12899ab13da0f1f6bc5c78c86f9dd
SHA512e9b71353ce5e2c9f7d3f3e4f45cab3932ca3cd9ff0e3e866a05e3ca36b47509c71cbd9a2cf15cea35f8e1d32929c6c53b2c888f0e33b7189aed5ffe2b237ddb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d855393d27a6c0009db4565bca883f47
SHA17be76341e990093db8e43b57241d097f8842cbed
SHA256e0706bd28290aa82d9c925ac43119e6544607c92bfb4e03009437cf85d9f1b3d
SHA5127eca49c30d0c7c94976b1f40262256dbdc0b7746bc9bbfeaf5f7952369b74fdafbd14f7038fca00f0596851a41ff0968b6c659e69b8c2abb1676ac8c29553942
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD555c3335f6a470e8e8c7a26ce32858372
SHA177449d315339b35b5c2630c879aef769ffc659f0
SHA2562640fa5a340b67835e3998754801149b5916f093e5caf18321eab179d62456e2
SHA512d2fe1f3f4f08329a004c126eaaa6c0a0ac703932b4b3b9a9325067f1f382aae922366074ab3c404dd882947215366179a9a195f4a3951e2e3872cc6706c5e324
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ca06c4ac38fe58e424f8b079109930e0
SHA140df968d5902f28ec7ae184a347f85da0e3ca995
SHA25601040feb94c878314465543413d3544d56b1dd6d65ea2ee359a8752204f6ca7e
SHA51269c95d1de99f658df7fae3c3db53a06704c565b2e0b1374b44d80d669df8a4e78229d9eaac7f9d61a9e88924a51fd80e45fba31ad5f5d16a2df345bcd687cc16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD549f21145579b642658cf37ccca9f9d3d
SHA1ed43964d7ef052b34b08e70afdabf1e1e9a55d54
SHA2561dfd82ac5828a09679a4f96a2ab2fc74fccbfcecda5a53c4995fd41c328bb647
SHA51249bd64107bc946ef3b888cafac5fb940ae74a22ecee7e4c2e94f0ba60f23e3b143a4434638cb497684be978bc4866354d32028a34ba062597c76c50d3d884a26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD506a8a8e8f4806c94f4e6c1b069d5e40a
SHA1bdf59b126451a7df372b50962a2e237f23c3024d
SHA2564508539ca02ceac8f516b5a280be3387f3292192eba482edd080a896f478bcd6
SHA512058d047e89e14453e070ab69b73990b1af8a2828131e4129879e817c9b152c4c08d80c8443e23d99b3ef3b9989cb96e22ecc2b53636b7145eb0f215a11cf2f37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD547acacaa2307ccedf981ce934fe615bd
SHA1c3e088379f810e17e00340db9c7eb180a629cb85
SHA256d8c2182a98d7ba5d11ba4c3cbcfe81117350faf331cd14db5d0609e2badc4761
SHA512143edcc8b61b94d1f9a6a7e48fd086099bf06aa93df79706c36e5aa94c2f6521bc0e7b24ff379745d3295bad518f08505c5b08a8b68d5ea1b069326848b95776
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD511f0b9312eef23f0fd9601cdc2ed33d0
SHA1f0c7b7871761895da7b20952408fd9cf763abf82
SHA256ee0aa2501acd70953f9573c67d8b284aca6b67208dae00e4cb78c133dab40394
SHA5123feba02462d613adb2bb797fbd46cd2dff33349eaf349409031154e9df9e498726f8d411fdcbe5613d3eab961eeab001bad10d080a817c65996269e77ed58d19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD537b36931fcf1945963044f58e7ca3499
SHA1cab28c527a19e09d2274303678e4562ff7920a5a
SHA256d20792cf3a1249bc4f70eec46d7a2317e18e9ff6e8f87b1d9628968d84a6e72d
SHA512335acb0d99fdc8912a48cd3ca84f647c7c5877f6b3c3311a22098bc4d8f5109a7e03369543276141273ea50553fe56fbb78f0e829e9a126c12b1f112da70917a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD543e41661d6e6443245c8d7139b527e29
SHA1724b7987818c582235f8568c6b8651c563915bd8
SHA25646cfcf84de66891c551ada852d83b85fafb6f1c9b8d31eeca1d8a1be3c7565a9
SHA512714d22c0a3a79453f83bb8c11c2e9f3f9911092c63cdefa9f420054b09d65306b594f20e1396f834c9fa9b51239a55c8eb7e70a137c962d7200e4bb1acf31658
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59a9eda1f1969b5302cbfa046240f9a7f
SHA1a2053e6e70f2645ec19789d93c870f8a62f729a7
SHA25645c6b0aea786e973371960a073f02920085564202767b4a540251d73b452d656
SHA51298c07d6a09aba2b10c430e546cfb57e43f2513499daad638358c8d843d727b0506f1be6b44df1cabba21660c67838a9f5f193288877572915f40924da9e3c57e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b6c5a9f0ad40d8472f62764b80329d3a
SHA1f2b07e30ccac70edffc01fa2f0458c914840e706
SHA25640cc0bd37b493de03d5d146e186bbcac0b99eadf7e7a530baddc132b79e3fba8
SHA512f6685b425145f782f379a8419fa8c79aa190b4d3f9d66155af37215ad749d624224faffd29059d8d0e8fba7359a54021199c2460452849a610f4f397ac9b223d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56d7c2ac5cdec22b6c4a54316fd2088d1
SHA1a9984ed03380cfcc69b9c61b383ff1122f72f4f2
SHA2560b639710812d447a2a4d72b10c6cb5b125622c0f3f9acca149c1313fd50e522b
SHA512e7f942846d37f2cfffe8d6a5f328d390daa218e047fe6f497082e18b2be09000549c351ae7881f0f76b823998dc0e6b3867c19371138f4f8b6bca1a4a163ff79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50bdf062f63aff46d88c0b0b3134b31b8
SHA1141ffb54bd31d666a08eea4066bf18373766ad56
SHA25601a0c513bcab13f17424bfd341163e2307071abd000ef0b5492918fd2356285d
SHA512ce6a66d6d1514c52059fb5394cf4030b40eec2691ef4d2ead6ef971e20f4cc64d5c9ff827634c4a314e86db23300df2e11fa4045781d9c448d4009259c560e5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50c3d0fcc31d256563e3d7f3697baad2b
SHA160e84c3379823b06b8487c3a9384ead0ecf116db
SHA256b5f042b4b20a769def8fb930fd640fd569b33843f26a3e683d89146fdd501ccf
SHA512fa257b25995679ca08121a769758dba98113457c207f9dcffa26a6b2d291073be0bc06fa5ea19f7c2239656732f371f483e606fbbcc984539adc06c06875253c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59796b2fbb333d00a7aa26e3c6d4fd136
SHA103870e467e90cbbf49920c6073b53300fe687cf5
SHA256e4525f9332adcb60cb656c1876afe58a99ae2b77a4ec0fd59d48a7bd3d4c9c00
SHA512d744b3ee59af2665a622732b9e29720723beb3a8b90f3767c367b82c5c2c1e6b6a438093909bb9185a549f62bb00d6a6259321b28b0b89e8961285d3a8029957
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
8KB
MD5fc0f18afc6c2335569fdd3a3740fbadb
SHA1a6c8a0596ed082d4cc45200bc978c9b8996e7bc5
SHA256ad20cba40c89a42bbf790909511f1abbe3fd0c447d2dfd2af765aedd301b5dc0
SHA512f02a5931c1248b2e6c01a3d8593f65fd3fcb8d80134652025e125f26150df59da39e6ae33eafc54f92b499742200a6cbc6684efb61c214e27fbbf23411d1bd1a
-
Filesize
7KB
MD593d863301cc193fa02c826bb0a1842b6
SHA1a4bfa710fea863ae8ccc77718b7c0dc480f2d63e
SHA2566360caca4b97f4ee4b8618b22da6f801d9bc676d5fe4c08f381dd9325b0b21ca
SHA512558283635116d4b5b3bbd1210179af001b9d0bf9e8c17dc523e38cfa000149142768cb5b0dacf36f15bceaa954ae0b1039b8618cc27f33b443985b9b20e8057c
-
Filesize
24KB
MD5cf8a857e38a8ffa9bf7fe8959523f55b
SHA1fbbdee84b0750a5be4c061a92554cebc18e660f2
SHA2564391bed496095d4e87c6df4ab4df2f81f15c615b7528acc37de9c5f89ccab905
SHA5122706c368fb6adef8c6a20fcfab2bc8a40b32b6b8e424215ffd1c78b8e3dba7588f1ff433c8356009772987142acccb285c752a080a03a8cbe0843c2508358d48
-
Filesize
16KB
MD590c2a262d7916d53021b7019ec8007c0
SHA10557973f4638e501e8688435ea6f0ec501ecf758
SHA2567d647877d9cd7e320870b34153a24697e0bdb67d07720c6b40e728f5baf4b3bd
SHA5127b2de1f75cdca5091263bc28aa3f1c3be5aa3f2433c020d3453168fd25d125ab268e9dd0359ff44b15c7b980c0e4ea29d329926f137c8941dd76179099d30b1d
-
Filesize
2KB
MD510c0cdffd5977ee7aaf2b59690ff1164
SHA1fb349dbcf7e8abaad7fcb1086fced8d37d87aab7
SHA2562be078a93a03130e600836c4e822197631553d16817b6815d925a0c63ca2d1c9
SHA51253862bd8291b6c3a2dea08d81086cba9d0ee5578438e3d7a47fa5d181369c22ea206c13e2a23b065dc2889d32c0136f81c0dc009eec9c4a8ba69bedd0a41548f
-
Filesize
4KB
MD5032d5341f1e64fd77fc07a494a4b3f30
SHA1fec1a601a5d3ae1c98d04ae912231dc8ac977e52
SHA2567d1b63b7f777b294a12ed621b81fde0182816e7252657d0369ee9fc2cf811051
SHA5125dbbef35e7332abca1aeb391cf82e84a3a97e77c575d22052df535f99378d712f38d76e8db292f2e8c0f9ed508dda74c0df4486ab27172d6558b99020dff86b7
-
Filesize
12KB
MD56db37e80fd1d38af357cfce03445d400
SHA15fa994f46f6e10c9370dca598da11e473ce4a59c
SHA256f21ad1de66ebb5d0156627ca58a1a1923a8c19ae708e594049930c4d76a927e3
SHA512c0fe5b1d1fbeb7c292521e7df1fd9c364b58a15f23dae18cb63f0ca7187a97426de7db65f59647d4dc886d9c6ea0dc875c218babfd71f04a6304bb70fe0071de
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
388KB
MD5ad967292a0b22c3289b6e7e58f45b439
SHA158777aed823b559adff0090a8595b5ce1d57fe1b
SHA256dd7a328ba2cc59cf699efe1a83f45fb9da3837e7cb49e23312d9396e9536cca0
SHA5128eba04c5fb6634ae7cff71b2757315e15930fdb9b43b1f48f2fba023969aaa28291c0dc4e4a0411367d4376dbaeb29660b2448f9e8c95ceb5eb1a5b18a8f711f