Analysis
-
max time kernel
13s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 00:57
Static task
static1
Behavioral task
behavioral1
Sample
d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d.exe
Resource
win10v20201028
General
-
Target
d.exe
-
Size
11.0MB
-
MD5
e4cecbd3ecf383a7312caa268c3adf04
-
SHA1
17d5688ae3586d72b9f94a6dc6b450c33721f01f
-
SHA256
74cf42fa8e330ff348d07adddeed191ede6edfb97fab2fb045df03e4637b90c8
-
SHA512
5166c53d9e30221fd9d27fe7782bca9f0a82cced945f7994e3b7e5d103e052870bbbbd2e1a363e21a51f06cc733a3018806d6cd047a935736f7a60ca921c5b67
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
d.tmpwmfdist.exeVirtualDVD.exepid process 2080 d.tmp 4052 wmfdist.exe 4056 VirtualDVD.exe -
Loads dropped DLL 2 IoCs
Processes:
d.tmpVirtualDVD.exepid process 2080 d.tmp 4056 VirtualDVD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
Processes:
d.tmpdescription ioc process File created C:\Windows\SysWOW64\VirtualDVD InstallData\is-CO6B7.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD Windows10 InstallData\x86\is-0QLN3.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD Windows10 InstallData\x64\is-FCUMN.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD Windows10 InstallData\is-FI0A0.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD Windows10 InstallData\is-2ONKL.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD InstallData\x86\is-QUT1P.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD InstallData\x64\is-31694.tmp d.tmp File created C:\Windows\SysWOW64\VirtualDVD InstallData\is-MFKN3.tmp d.tmp -
Drops file in Program Files directory 49 IoCs
Processes:
d.tmpdescription ioc process File opened for modification C:\Program Files (x86)\VirtualDVD\VirtualDVD.exe d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\wmfdist.exe d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\DIFxAPI_amd64.dll d.tmp File created C:\Program Files (x86)\VirtualDVD\is-OD4PL.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\LibSSL\is-IPFM1.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-SE3B1.tmp d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\LibSSL\libeay32.dll d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\sqlite3.dll d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\SmartInstaller_amd64.exe d.tmp File created C:\Program Files (x86)\VirtualDVD\is-A541J.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\LibSSL\is-5O8OV.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-57KFQ.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-LA91V.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-L8URD.tmp d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\Engine.dll d.tmp File created C:\Program Files (x86)\VirtualDVD\is-173CI.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\is-JJRBU.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\is-0H3RI.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-GLCR9.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-5PMDS.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-DVJ91.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-RSPJH.tmp d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\SmartInstaller_x86.exe d.tmp File created C:\Program Files (x86)\VirtualDVD\is-K5TRU.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\is-PBU8E.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-B9K31.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-F55MA.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-VOF4A.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-F0HFN.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-L0PQK.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-N055G.tmp d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\DIFxAPI_x86.dll d.tmp File created C:\Program Files (x86)\VirtualDVD\unins000.dat d.tmp File created C:\Program Files (x86)\VirtualDVD\is-IA966.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-5DPC2.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-V1F33.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-QOL6E.tmp d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\unins000.dat d.tmp File opened for modification C:\Program Files (x86)\VirtualDVD\LibSSL\ssleay32.dll d.tmp File created C:\Program Files (x86)\VirtualDVD\is-SG0T8.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-ULC85.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-CQSNU.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-SKEPD.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\is-8G85J.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-U1DKK.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-KR393.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-SH6AC.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-MDTJM.tmp d.tmp File created C:\Program Files (x86)\VirtualDVD\language\is-27J3S.tmp d.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d.tmppid process 2080 d.tmp 2080 d.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d.tmppid process 2080 d.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d.exed.tmpdescription pid process target process PID 3372 wrote to memory of 2080 3372 d.exe d.tmp PID 3372 wrote to memory of 2080 3372 d.exe d.tmp PID 3372 wrote to memory of 2080 3372 d.exe d.tmp PID 2080 wrote to memory of 4052 2080 d.tmp wmfdist.exe PID 2080 wrote to memory of 4052 2080 d.tmp wmfdist.exe PID 2080 wrote to memory of 4052 2080 d.tmp wmfdist.exe PID 2080 wrote to memory of 4056 2080 d.tmp VirtualDVD.exe PID 2080 wrote to memory of 4056 2080 d.tmp VirtualDVD.exe PID 2080 wrote to memory of 4056 2080 d.tmp VirtualDVD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-B03O7.tmp\d.tmp"C:\Users\Admin\AppData\Local\Temp\is-B03O7.tmp\d.tmp" /SL5="$20116,11195346,152064,C:\Users\Admin\AppData\Local\Temp\d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\VirtualDVD\wmfdist.exe"C:\Program Files (x86)\VirtualDVD\wmfdist.exe" /Q:A /R:N3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\VirtualDVD\VirtualDVD.exe"C:\Program Files (x86)\VirtualDVD\VirtualDVD.exe" d.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\VirtualDVD\VirtualDVD.exeMD5
1fa52992c9660ebae3cc45fed5ceb954
SHA19dc8b2c175c8589249a37570b3d97400b378d4d4
SHA2564c3ed3b5ef6fea99e221244722f8bb22d5cbc48630de245e77862b06ac38d41d
SHA5129dbec1837ce44d7939ae389beacc2752ec62a2c801cdebd5a6e4aaf50432d413decc8d76c3355727054427fcaaf342dc973c6d1190e9ed9ea815e681c2cbf626
-
C:\Program Files (x86)\VirtualDVD\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
C:\Program Files (x86)\VirtualDVD\wmfdist.exeMD5
f59090e9a8070d7fbbdcc8895d2169a3
SHA1370e62290cac6a6c7aa13442741caf6671437a54
SHA256a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023
SHA51245b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a
-
C:\Program Files (x86)\VirtualDVD\wmfdist.exeMD5
f59090e9a8070d7fbbdcc8895d2169a3
SHA1370e62290cac6a6c7aa13442741caf6671437a54
SHA256a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023
SHA51245b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a
-
C:\Users\Admin\AppData\Local\Temp\is-B03O7.tmp\d.tmpMD5
f8e6e1e60627e386ff31720968c1ec4e
SHA1381ad224413a1c10fff08c718e162a3af8e34730
SHA256a44ff663cb039bedd656e9f0576d763c897fcd41912601525fbec0244ebd36e1
SHA512d53cc47c976e5c265156e815a566bb7e81046cd53f0b9da64d228725b4616c8be381472b61fad566a666f042b77f5294be2edbbbab0d5521c6867d55607823e7
-
C:\Users\Admin\AppData\Local\Temp\is-B03O7.tmp\d.tmpMD5
f8e6e1e60627e386ff31720968c1ec4e
SHA1381ad224413a1c10fff08c718e162a3af8e34730
SHA256a44ff663cb039bedd656e9f0576d763c897fcd41912601525fbec0244ebd36e1
SHA512d53cc47c976e5c265156e815a566bb7e81046cd53f0b9da64d228725b4616c8be381472b61fad566a666f042b77f5294be2edbbbab0d5521c6867d55607823e7
-
\Program Files (x86)\VirtualDVD\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
\Users\Admin\AppData\Local\Temp\is-BA58E.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/2080-0-0x0000000000000000-mapping.dmp
-
memory/4052-4-0x0000000000000000-mapping.dmp
-
memory/4056-7-0x0000000000000000-mapping.dmp