b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629

General

Target

b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe
Size

4.0MB
MD5

eee67d1d66527f9ab0190fb481e362c5
SHA1

943fcaf568baa453e9d8964e02cd900a34eb3666
SHA256

b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629
SHA512

f13d5c2b56f9859aa08f4d9e6369e95f8426fe11df903a3b76c85468e27168934c0474f1d3151a20993a7e911e1cd67efb7f24809741a9ff9129c0bdec15264e
SSDEEP

98304:ndLs+TC7TNVywqsvAaNyJXwmAvUVC1yhO7e:dLhQTN0wXA6eXt5CQhO7e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4624	is-2LCNL.tmp
4772	VideoPRO.exe
5012	VideoPRO.exe

Loads dropped DLL 3 IoCs

pid	Process
4624	is-2LCNL.tmp
4624	is-2LCNL.tmp
4624	is-2LCNL.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\VideoPRO\unins000.dat	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-RT2SL.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-5NFLQ.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-BDGKO.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-V8BJ4.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-QAE0R.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-M8O86.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-2JIST.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-U1JK1.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Online\is-UE9KU.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-9OI6V.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-SO74F.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-O5A5J.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-GO2AS.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Online\is-QVTJA.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Help\is-0LGND.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\is-CQVAG.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\is-T5V2G.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-PEJJV.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-BE8PG.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-2DO53.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-1KO9T.tmp	is-2LCNL.tmp
File opened for modification	C:\Program Files (x86)\VideoPRO\VideoPRO.exe	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-2KMA3.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-U2KQV.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-PJTP1.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-P5IBD.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-8DMCR.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\unins000.dat	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-4O5TD.tmp	is-2LCNL.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-1CSLV.tmp	is-2LCNL.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4624	5028	b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe	84
PID 5028 wrote to memory of 4624	5028	b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe	84
PID 5028 wrote to memory of 4624	5028	b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe	84
PID 4624 wrote to memory of 4772	4624	is-2LCNL.tmp	85
PID 4624 wrote to memory of 4772	4624	is-2LCNL.tmp	85
PID 4624 wrote to memory of 4772	4624	is-2LCNL.tmp	85
PID 4624 wrote to memory of 5012	4624	is-2LCNL.tmp	88
PID 4624 wrote to memory of 5012	4624	is-2LCNL.tmp	88
PID 4624 wrote to memory of 5012	4624	is-2LCNL.tmp	88

C:\Users\Admin\AppData\Local\Temp\b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe
"C:\Users\Admin\AppData\Local\Temp\b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\is-0QMI8.tmp\is-2LCNL.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0QMI8.tmp\is-2LCNL.tmp" /SL4 $C005E "C:\Users\Admin\AppData\Local\Temp\b13446ae6440e09762228b790ef8c8c7b9f997ff36e2d242158ec6f634f3d629.exe" 3867261 109568
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Program Files (x86)\VideoPRO\VideoPRO.exe
    "C:\Program Files (x86)\VideoPRO\VideoPRO.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\Program Files (x86)\VideoPRO\VideoPRO.exe
    "C:\Program Files (x86)\VideoPRO\VideoPRO.exe" -s
    3⤵
    - Executes dropped EXE
    PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VideoPRO\VideoPRO.exe

Filesize
2.0MB

MD5
aa6f8df236b60c10b023419b01db7323

SHA1
a34a3a8ab37eedbc8cc860f142e20005f2aa5615

SHA256
659ee573bf82b11c8c510217f989161f96c7e644e5deb6190d29ca8c9295d879

SHA512
a4de6d030e88566b67988a654cd6c7289602e84124159812f3e178c0cd1fda83589127b4fdf6b3c7209dea91ddce81a354acc4f56dc28f486460f0052f0efa19

Download Submit
C:\Program Files (x86)\VideoPRO\VideoPRO.exe

Filesize
2.0MB

MD5
aa6f8df236b60c10b023419b01db7323

SHA1
a34a3a8ab37eedbc8cc860f142e20005f2aa5615

SHA256
659ee573bf82b11c8c510217f989161f96c7e644e5deb6190d29ca8c9295d879

SHA512
a4de6d030e88566b67988a654cd6c7289602e84124159812f3e178c0cd1fda83589127b4fdf6b3c7209dea91ddce81a354acc4f56dc28f486460f0052f0efa19

Download Submit
C:\Program Files (x86)\VideoPRO\VideoPRO.exe

Filesize
2.0MB

MD5
aa6f8df236b60c10b023419b01db7323

SHA1
a34a3a8ab37eedbc8cc860f142e20005f2aa5615

SHA256
659ee573bf82b11c8c510217f989161f96c7e644e5deb6190d29ca8c9295d879

SHA512
a4de6d030e88566b67988a654cd6c7289602e84124159812f3e178c0cd1fda83589127b4fdf6b3c7209dea91ddce81a354acc4f56dc28f486460f0052f0efa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0QMI8.tmp\is-2LCNL.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0QMI8.tmp\is-2LCNL.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63FJL.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63FJL.tmp\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63FJL.tmp\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
memory/4624-95-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4624-93-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4624-7-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4772-84-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/4772-86-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/4772-87-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/4772-82-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-122-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-113-0x0000000000830000-0x00000000008DA000-memory.dmp

Filesize
680KB

Download
memory/5012-91-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-140-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-96-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-97-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-100-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-103-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-106-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-109-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-112-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-137-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-114-0x0000000000830000-0x00000000008DA000-memory.dmp

Filesize
680KB

Download
memory/5012-118-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-119-0x0000000000830000-0x00000000008DA000-memory.dmp

Filesize
680KB

Download
memory/5012-90-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-125-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-128-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-131-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5012-134-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/5028-92-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5028-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing