Analysis
-
max time kernel
110s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
29-05-2022 21:45
Static task
static1
Behavioral task
behavioral1
Sample
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe
Resource
win7-20220414-en
General
-
Target
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe
-
Size
1000KB
-
MD5
501c35c30856063578d5f66e21af9de8
-
SHA1
a1bbcfa137ac506b4d9b0af6ba71fa4d75c652f8
-
SHA256
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472
-
SHA512
f26df8ad2b366901138a180a3a4800a4ad864a017bc2973dd44e04df6620f352ae3cb54c597b6980b934fd716b7733d6900abc48701433f19fae0f12b373cdd8
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exeregsvr32.exepid process 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe 1848 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 22 IoCs
Processes:
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exedescription ioc process File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\overlay.xul 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\overlay.xul 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\icons 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\icons\Thumbs.db 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\icons\Thumbs.db 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ie\VideoPlayerV3beta7334.dll 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ch\VideoPlayerV3beta7334.crx 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome.manifest 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\install.rdf 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\ffVideoPlayerV3beta7334.js 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\ffVideoPlayerV3beta7334ffaction.js 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\ffVideoPlayerV3beta7334ffaction.js 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\icons\default 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\uninstall.exe 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ch\VideoPlayerV3beta7334.crx 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome.manifest 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\ffVideoPlayerV3beta7334.js 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File opened for modification C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\icons\default\VideoPlayerV3beta7334_32.png 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\install.rdf 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe File created C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ff\chrome\content\icons\default\VideoPlayerV3beta7334_32.png 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Approved Extensions 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{4f26c14e-7084-4b81-acc8-73fd924be71d} = 51667a6c4c1d3b1b5edc3353b222ec05b1ca37bd910ba002 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe -
Modifies registry class 36 IoCs
Processes:
regsvr32.exe0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\ = "VideoPlayerV3beta7334" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\0\win32\ = "C:\\Program Files (x86)\\VideoPlayerV3\\VideoPlayerV3beta7334\\ie\\VideoPlayerV3beta7334.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\TypeLib\Version = "1.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\TypeLib\ = "{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\ = "Video Player" 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\VideoPlayerV3\\VideoPlayerV3beta7334\\ie" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\ = "IVideoPlayerV3beta7334BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d} 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\TypeLib\ = "{ba6b7e8d-fad2-4aee-92de-c2d3c1c11e39}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\ = "VideoPlayerV3beta7334Lib" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\TypeLib\ = "{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\ = "IVideoPlayerV3beta7334BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\InprocServer32\ = "C:\\Program Files (x86)\\VideoPlayerV3\\VideoPlayerV3beta7334\\ie\\VideoPlayerV3beta7334.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\Version\ = "1.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4f26c14e-7084-4b81-acc8-73fd924be71d}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA6B7E8D-FAD2-4AEE-92DE-C2D3C1C11E39}\1.1\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4A64D7E-4C9B-4498-894E-D8BE8342901B}\TypeLib\Version = "1.1" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exepid process 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exedescription pid process target process PID 3116 wrote to memory of 1848 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe regsvr32.exe PID 3116 wrote to memory of 1848 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe regsvr32.exe PID 3116 wrote to memory of 1848 3116 0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe"C:\Users\Admin\AppData\Local\Temp\0d1c29f9674d7dd038221e8d3053b70f1e36bce54531eff08b0d122b3cdd8472.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 "C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ie\VideoPlayerV3beta7334.dll" /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:1848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ie\VideoPlayerV3beta7334.dllFilesize
85KB
MD5474430f69405c07f95f75feee5a50383
SHA163e8550d91e5b99776b5841b5568173b67f469fc
SHA25641855f8991ac3b7df9c4fe78723ffafc4eb4c5e332a04d91efbc8f8f3e52f127
SHA51285051703f3b2efd0815b11b3b9376efc2c3a69cf96d16fbcd11b7aeb4a9d7eb7a861a709c5a65a5cc4eddf6eea5c090c5559ddf76a274f01064f1fdc6b9ca0be
-
C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta7334\ie\VideoPlayerV3beta7334.dllFilesize
85KB
MD5474430f69405c07f95f75feee5a50383
SHA163e8550d91e5b99776b5841b5568173b67f469fc
SHA25641855f8991ac3b7df9c4fe78723ffafc4eb4c5e332a04d91efbc8f8f3e52f127
SHA51285051703f3b2efd0815b11b3b9376efc2c3a69cf96d16fbcd11b7aeb4a9d7eb7a861a709c5a65a5cc4eddf6eea5c090c5559ddf76a274f01064f1fdc6b9ca0be
-
C:\Users\Admin\AppData\Local\Temp\nso8543.tmp\aminsis.dllFilesize
822KB
MD5678a22e736f3bfa0d74ae2b1133a4c77
SHA1964bbaf745a2b82bc23de0879b221bf6551b7283
SHA256c5799cbab76464874e857fbd16600c4b33298d809f4ef27a07b21f8724614f14
SHA512058fa4ee5272623fcc9267958ad6d7befeb74efa079b8fa8e461830ec05b96ed933014360eac5ab61eff890b8ec1ea268d8b2781999515ed27ba0333751baa4a
-
memory/1848-131-0x0000000000000000-mapping.dmp