3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a

Analysis

max time kernel
183s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exe
Size

20.8MB
MD5

47a228460148d0dc9cb7f6287505ca05
SHA1

5a4876ecd86ca9bbd78663a92a4e32647cab2256
SHA256

3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a
SHA512

4dffa7404fb1629e273d614db8c75842d3950f2e1ac4bc461531a4abe240fa6818dfe6eb3735a56e26d8818ed629972a6202b88207dcab5b018aa0b7a691471c
SSDEEP

393216:1gXgeaQPgvG9Nb83YANGjpvO57USqm8/IJFWJHW5TpPTiwbXq18X7yo:MjQUOoANKv47Rqm8A15TIwbLXuo

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

videoindir2013Setup.exe

pid process

2128 videoindir2013Setup.exe
Loads dropped DLL 4 IoCs

Processes:

videoindir2013Setup.exeMsiExec.exe

pid process

2128 videoindir2013Setup.exe
2128 videoindir2013Setup.exe
2128 videoindir2013Setup.exe
540 MsiExec.exe

pid	process
2128	videoindir2013Setup.exe

pid	process
2128	videoindir2013Setup.exe
2128	videoindir2013Setup.exe
2128	videoindir2013Setup.exe
540	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

videoindir2013Setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	videoindir2013Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	videoindir2013Setup.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 4 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e59b6c3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59b6c3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7DA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

videoindir2013Setup.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2128	videoindir2013Setup.exe
Token: SeIncreaseQuotaPrivilege	2128	videoindir2013Setup.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	2128	videoindir2013Setup.exe
Token: SeAssignPrimaryTokenPrivilege	2128	videoindir2013Setup.exe
Token: SeLockMemoryPrivilege	2128	videoindir2013Setup.exe
Token: SeIncreaseQuotaPrivilege	2128	videoindir2013Setup.exe
Token: SeMachineAccountPrivilege	2128	videoindir2013Setup.exe
Token: SeTcbPrivilege	2128	videoindir2013Setup.exe
Token: SeSecurityPrivilege	2128	videoindir2013Setup.exe
Token: SeTakeOwnershipPrivilege	2128	videoindir2013Setup.exe
Token: SeLoadDriverPrivilege	2128	videoindir2013Setup.exe
Token: SeSystemProfilePrivilege	2128	videoindir2013Setup.exe
Token: SeSystemtimePrivilege	2128	videoindir2013Setup.exe
Token: SeProfSingleProcessPrivilege	2128	videoindir2013Setup.exe
Token: SeIncBasePriorityPrivilege	2128	videoindir2013Setup.exe
Token: SeCreatePagefilePrivilege	2128	videoindir2013Setup.exe
Token: SeCreatePermanentPrivilege	2128	videoindir2013Setup.exe
Token: SeBackupPrivilege	2128	videoindir2013Setup.exe
Token: SeRestorePrivilege	2128	videoindir2013Setup.exe
Token: SeShutdownPrivilege	2128	videoindir2013Setup.exe
Token: SeDebugPrivilege	2128	videoindir2013Setup.exe
Token: SeAuditPrivilege	2128	videoindir2013Setup.exe
Token: SeSystemEnvironmentPrivilege	2128	videoindir2013Setup.exe
Token: SeChangeNotifyPrivilege	2128	videoindir2013Setup.exe
Token: SeRemoteShutdownPrivilege	2128	videoindir2013Setup.exe
Token: SeUndockPrivilege	2128	videoindir2013Setup.exe
Token: SeSyncAgentPrivilege	2128	videoindir2013Setup.exe
Token: SeEnableDelegationPrivilege	2128	videoindir2013Setup.exe
Token: SeManageVolumePrivilege	2128	videoindir2013Setup.exe
Token: SeImpersonatePrivilege	2128	videoindir2013Setup.exe
Token: SeCreateGlobalPrivilege	2128	videoindir2013Setup.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exemsiexec.exe

description	pid	process	target process
PID 2656 wrote to memory of 2128	2656	3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exe	videoindir2013Setup.exe
PID 2656 wrote to memory of 2128	2656	3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exe	videoindir2013Setup.exe
PID 2656 wrote to memory of 2128	2656	3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exe	videoindir2013Setup.exe
PID 1572 wrote to memory of 540	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 540	1572	msiexec.exe	MsiExec.exe
PID 1572 wrote to memory of 540	1572	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exe
"C:\Users\Admin\AppData\Local\Temp\3e1668158038ba8891424550de13c24cc327a64fd4934cf2f827fc97a3c0733a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\videoindir2013Setup.exe
.\videoindir2013Setup.exe /m="C:\Users\Admin\AppData\Local\Temp\3E1668~1.EXE" /k=""
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 673BF7FC2DDA1077B6037FEA248B8CF3
2⤵
- Loads dropped DLL
PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mia1\mWinRunExec.dll

Filesize
397KB

MD5
8e5d987fc8f3fa1b7ea0618963ddb85a

SHA1
070c86774fa0de5b1db741ba4f9b4a574591c3e7

SHA256
b43ddfdf5a7a3fb7f5126c7b997c89599dd36df0dae7bda08c3a7f9dc898e7b7

SHA512
4e53c36924483d9ff7aef29552ca7be7c02cfb2ad75025825f7013bfd095cbfd2aece1d94f1b9ee3b88cf4316c5f9e35853318e7503d216526dc4baef53ecd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\mWinRunExec.dll

Filesize
397KB

MD5
8e5d987fc8f3fa1b7ea0618963ddb85a

SHA1
070c86774fa0de5b1db741ba4f9b4a574591c3e7

SHA256
b43ddfdf5a7a3fb7f5126c7b997c89599dd36df0dae7bda08c3a7f9dc898e7b7

SHA512
4e53c36924483d9ff7aef29552ca7be7c02cfb2ad75025825f7013bfd095cbfd2aece1d94f1b9ee3b88cf4316c5f9e35853318e7503d216526dc4baef53ecd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\videoindir2013Setup.msi

Filesize
304KB

MD5
2dc5303d365cff3b295d1037bb941a39

SHA1
07bdddff5f712e69b236991060a692ad9aafb6d7

SHA256
49325e12fb1ab23572fd43fdeb952ca424e6e032c718ae6ee372915943cf9951

SHA512
72adcc7bb12e60a4757cfdcdda9c807672e0421b2f79318518ba8b43fe33f3c279312f51a2c1753c6ff71f4862d6f9c6b137800dfe8e948012baa23112da41a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\mia.lib

Filesize
565KB

MD5
e6c930ab2d929ce6ac088799b57ae430

SHA1
8d1628b4f816dc93b8f843e7a28d760ad0edccc6

SHA256
d3125717c7f99cee05045995d10f2986f9a2608ffdedfb29b34b472f3f36f952

SHA512
a3d082674d9a4314bdae8e9ac429bd22030bc7ff69c695afd53ba9a785c7a5ff44fd7599278bb0422378b0aae3102d652f2cc03574285729196078f2717bae4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\mia.lib

Filesize
565KB

MD5
e6c930ab2d929ce6ac088799b57ae430

SHA1
8d1628b4f816dc93b8f843e7a28d760ad0edccc6

SHA256
d3125717c7f99cee05045995d10f2986f9a2608ffdedfb29b34b472f3f36f952

SHA512
a3d082674d9a4314bdae8e9ac429bd22030bc7ff69c695afd53ba9a785c7a5ff44fd7599278bb0422378b0aae3102d652f2cc03574285729196078f2717bae4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\videoindir2013Setup.exe

Filesize
2.4MB

MD5
bdc11e723f61150b9d636cfc9f12d529

SHA1
ac26954430eff9c85026ab69c5aa9a073d11df03

SHA256
8a624f1143b9490e5b158edf14eb0cc123e65272b5570f7f58838ea2d2da68bf

SHA512
9358a98d5e265c06b32810347647144612fe15d403666ddf39be0239ae85b0c96e7448baf1834b7a464cb1195a5957474821eec8d6f9d4461de3844004ac4eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\videoindir2013Setup.exe

Filesize
2.4MB

MD5
bdc11e723f61150b9d636cfc9f12d529

SHA1
ac26954430eff9c85026ab69c5aa9a073d11df03

SHA256
8a624f1143b9490e5b158edf14eb0cc123e65272b5570f7f58838ea2d2da68bf

SHA512
9358a98d5e265c06b32810347647144612fe15d403666ddf39be0239ae85b0c96e7448baf1834b7a464cb1195a5957474821eec8d6f9d4461de3844004ac4eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\videoindir2013Setup.msi

Filesize
300KB

MD5
c2fc8b72a8bf96cd67bcaad2640aa95d

SHA1
eafd41773590688e6a33a41888ddd76cb2d44d70

SHA256
cd9b5bccb7f728784c02d032fe3bfbf195d8887012b04f0bb5b1dc9c1ac2d0b7

SHA512
7432f22763b6ddeb9eaaa910db1912d1d78c11e29d1306b1944f57f8e52773dd9c6c7a7e31fda3df26177576acdf94f9a0649bc284b8da7498597189f42299dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\miaAF0C.tmp\videoindir2013Setup.res

Filesize
1.8MB

MD5
2ea86ad4d871fdda32ec0ca7b2d66765

SHA1
b194f1b0b3677de81a15c0b81daefc5907aa07e3

SHA256
89225cde69d30c120a8afc1381fc523271466c3fed497b167cfd204d7046f83d

SHA512
55c1710fae1b2156f3bd87e3f038198d12b563d2d9315711635da921b1ced4a8a71d5b4b04eaf65eea04210adbb2cd4dfa3df4d309e74e4f1326a9be84e3bba4

Download Submit
C:\Windows\Installer\MSIC7DA.tmp

Filesize
90KB

MD5
125ee0a0d1852d90b00fcc37956308b4

SHA1
4b350a2ab52c7b4d6b2b15ff2268040e0fe38089

SHA256
08c72daa01f1420d4bb22046afbd2cdebf76d5e70bacd7ee133c3675642dbe23

SHA512
1c1500be14fdafa20484d2bab61a4158567be20cc9b9fe25f33d0b1ec0eda91d803a738cf0a76276c911f1379f7a41c7019c6ea54fff96cb819b4e801f57c6f2

Download Submit
C:\Windows\Installer\MSIC7DA.tmp

Filesize
90KB

MD5
125ee0a0d1852d90b00fcc37956308b4

SHA1
4b350a2ab52c7b4d6b2b15ff2268040e0fe38089

SHA256
08c72daa01f1420d4bb22046afbd2cdebf76d5e70bacd7ee133c3675642dbe23

SHA512
1c1500be14fdafa20484d2bab61a4158567be20cc9b9fe25f33d0b1ec0eda91d803a738cf0a76276c911f1379f7a41c7019c6ea54fff96cb819b4e801f57c6f2

Download Submit
memory/540-143-0x0000000000000000-mapping.dmp

Download
memory/2128-141-0x0000000004E80000-0x0000000004EED000-memory.dmp

Filesize
436KB

Download
memory/2128-132-0x0000000000000000-mapping.dmp

Download