Overview

overview

9

Static

static

94b93992e4...ed.exe

windows7_x64

8

94b93992e4...ed.exe

windows10_x64

9

Analysis

  • max time kernel
    126s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94b93992e4968d36b4366673815847ed.exe

  • Size

    12.5MB

  • MD5

    095d2b42824e3e91facbfd195c6dcbfa

  • SHA1

    5ce029af0dd1037c834800f46cfc7d33ee96cf8f

  • SHA256

    f9c509c0e06a6c3677f248f69abed6831d600434e509cb27ed38f9682875bf9a

  • SHA512

    d51e5e8f68e294bbfce95ecafef8039aa9cd133fcbe15837928379ff3f7f6d1a5d0cc696b826c7f5035d063dd55835634dea5170b089f6fec706f5673dceed11

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 49 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94b93992e4968d36b4366673815847ed.exe
    "C:\Users\Admin\AppData\Local\Temp\94b93992e4968d36b4366673815847ed.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\is-QSP0O.tmp\94b93992e4968d36b4366673815847ed.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QSP0O.tmp\94b93992e4968d36b4366673815847ed.tmp" /SL5="$30158,12351485,776192,C:\Users\Admin\AppData\Local\Temp\94b93992e4968d36b4366673815847ed.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xvid.ax"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:884
      • C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
        "C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe" /Q:A /R:N
        3⤵
        • Executes dropped EXE
        PID:1500
      • C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
        "C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe" 94b93992e4968d36b4366673815847ed.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
    MD5

    b7aa2acdbcd2f246494a5ac037bc47cc

    SHA1

    7bf49bd4fd3db213cf2918c5d275cba43cb49f1a

    SHA256

    09f13e9cd3e0f4fc19701b0349a27633212b124cd1c1e3b8868ebcc6d86e27b3

    SHA512

    f5085f61dd260297a84faa62c14e9dad99dfcdfbdf5db5d2305629dcc1dce373310aea8ff81f1bd63d0b3920834a5dd383ed79df48301912cb5e6bbb802d246d

    Download Submit
  • C:\Program Files (x86)\Isoft Free Video Converter\sqlite3.dll
    MD5

    e477a96c8f2b18d6b5c27bde49c990bf

    SHA1

    e980c9bf41330d1e5bd04556db4646a0210f7409

    SHA256

    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

    SHA512

    335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

    Download Submit
  • C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
    MD5

    f59090e9a8070d7fbbdcc8895d2169a3

    SHA1

    370e62290cac6a6c7aa13442741caf6671437a54

    SHA256

    a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

    SHA512

    45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

    Download Submit
  • C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
    MD5

    f59090e9a8070d7fbbdcc8895d2169a3

    SHA1

    370e62290cac6a6c7aa13442741caf6671437a54

    SHA256

    a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

    SHA512

    45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-QSP0O.tmp\94b93992e4968d36b4366673815847ed.tmp
    MD5

    4376b4cecb5244d11c5a7d8c465ca6ae

    SHA1

    8e56aba0def557e49a018766baa329f7cf71f225

    SHA256

    021bf86aac9942dffa5040f33324d240f655e11321d92e73ebc4177858ff9689

    SHA512

    d4f1338c2f7cff4731f7dd1ae7f4a717763cc82cd727f4caad82e37733842bd4afd446d94a465a3b41ebfeb1d96abd3a308fa7891a1a20eff89752f56851a2e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-QSP0O.tmp\94b93992e4968d36b4366673815847ed.tmp
    MD5

    4376b4cecb5244d11c5a7d8c465ca6ae

    SHA1

    8e56aba0def557e49a018766baa329f7cf71f225

    SHA256

    021bf86aac9942dffa5040f33324d240f655e11321d92e73ebc4177858ff9689

    SHA512

    d4f1338c2f7cff4731f7dd1ae7f4a717763cc82cd727f4caad82e37733842bd4afd446d94a465a3b41ebfeb1d96abd3a308fa7891a1a20eff89752f56851a2e6

    Download Submit
  • C:\Windows\SysWOW64\xvid.ax
    MD5

    1dfc887cb243a525675ce04787dedf8b

    SHA1

    69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

    SHA256

    0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

    SHA512

    160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

    Download Submit
  • \Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
    MD5

    b7aa2acdbcd2f246494a5ac037bc47cc

    SHA1

    7bf49bd4fd3db213cf2918c5d275cba43cb49f1a

    SHA256

    09f13e9cd3e0f4fc19701b0349a27633212b124cd1c1e3b8868ebcc6d86e27b3

    SHA512

    f5085f61dd260297a84faa62c14e9dad99dfcdfbdf5db5d2305629dcc1dce373310aea8ff81f1bd63d0b3920834a5dd383ed79df48301912cb5e6bbb802d246d

    Download Submit
  • \Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
    MD5

    b7aa2acdbcd2f246494a5ac037bc47cc

    SHA1

    7bf49bd4fd3db213cf2918c5d275cba43cb49f1a

    SHA256

    09f13e9cd3e0f4fc19701b0349a27633212b124cd1c1e3b8868ebcc6d86e27b3

    SHA512

    f5085f61dd260297a84faa62c14e9dad99dfcdfbdf5db5d2305629dcc1dce373310aea8ff81f1bd63d0b3920834a5dd383ed79df48301912cb5e6bbb802d246d

    Download Submit
  • \Program Files (x86)\Isoft Free Video Converter\sqlite3.dll
    MD5

    e477a96c8f2b18d6b5c27bde49c990bf

    SHA1

    e980c9bf41330d1e5bd04556db4646a0210f7409

    SHA256

    16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

    SHA512

    335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

    Download Submit
  • \Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
    MD5

    f59090e9a8070d7fbbdcc8895d2169a3

    SHA1

    370e62290cac6a6c7aa13442741caf6671437a54

    SHA256

    a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

    SHA512

    45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-QSP0O.tmp\94b93992e4968d36b4366673815847ed.tmp
    MD5

    4376b4cecb5244d11c5a7d8c465ca6ae

    SHA1

    8e56aba0def557e49a018766baa329f7cf71f225

    SHA256

    021bf86aac9942dffa5040f33324d240f655e11321d92e73ebc4177858ff9689

    SHA512

    d4f1338c2f7cff4731f7dd1ae7f4a717763cc82cd727f4caad82e37733842bd4afd446d94a465a3b41ebfeb1d96abd3a308fa7891a1a20eff89752f56851a2e6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-RM8F9.tmp\_isetup\_iscrypt.dll
    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

    Download Submit
  • \Windows\SysWOW64\xvid.ax
    MD5

    1dfc887cb243a525675ce04787dedf8b

    SHA1

    69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

    SHA256

    0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

    SHA512

    160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

    Download Submit
  • memory/884-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1500-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1816-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-1-0x0000000000000000-mapping.dmp
    Download