0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529

General

Target

0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe
Size

4.0MB
MD5

fa6b8cb075227646fc5621a380ae5faa
SHA1

66ea672ae6a3d071677e10cc0b22d50109aaeca1
SHA256

0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529
SHA512

fd442f1f9239fb8d7bb56a8b25dd0b954aeb606ee350597928041d43f4b0d2e70e7f2659a16b82b6717274f6eed51c56e58719b3dd67cf363fe159f607c9ebae
SSDEEP

98304:zdvvKeFQIwRQye3ZxVXSCvmcIxf/xTUk1Te+7e:BTFYq3ZxhSCvmrxf/xwmb7e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1352	is-ONVDP.tmp
2436	VideoPRO.exe
3268	VideoPRO.exe

Loads dropped DLL 3 IoCs

pid	Process
1352	is-ONVDP.tmp
1352	is-ONVDP.tmp
1352	is-ONVDP.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VideoPRO\Lang\is-V046M.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-DT1E5.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-KOPMF.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-702LQ.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-H6OV7.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-172RV.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-SUV9O.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Online\is-B85OE.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\is-B0CV5.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-26AL7.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-I4662.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-5QJUT.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-4TGJV.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-DP0G1.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-F5SIM.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-KH3AB.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-EGS8T.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-HFANL.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-GF650.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-PGLUR.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\unins000.dat	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Plugins\is-4PDAU.tmp	is-ONVDP.tmp
File opened for modification	C:\Program Files (x86)\VideoPRO\unins000.dat	is-ONVDP.tmp
File opened for modification	C:\Program Files (x86)\VideoPRO\VideoPRO.exe	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-G8NQE.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Help\is-A9K48.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-GHEGF.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-0Q11D.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Lang\is-UOA7F.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\Online\is-K5JVS.tmp	is-ONVDP.tmp
File created	C:\Program Files (x86)\VideoPRO\is-MRKHJ.tmp	is-ONVDP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1352	2592	0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe	84
PID 2592 wrote to memory of 1352	2592	0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe	84
PID 2592 wrote to memory of 1352	2592	0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe	84
PID 1352 wrote to memory of 2436	1352	is-ONVDP.tmp	86
PID 1352 wrote to memory of 2436	1352	is-ONVDP.tmp	86
PID 1352 wrote to memory of 2436	1352	is-ONVDP.tmp	86
PID 1352 wrote to memory of 3268	1352	is-ONVDP.tmp	88
PID 1352 wrote to memory of 3268	1352	is-ONVDP.tmp	88
PID 1352 wrote to memory of 3268	1352	is-ONVDP.tmp	88

C:\Users\Admin\AppData\Local\Temp\0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe
"C:\Users\Admin\AppData\Local\Temp\0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\is-2QQCV.tmp\is-ONVDP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2QQCV.tmp\is-ONVDP.tmp" /SL4 $900DE "C:\Users\Admin\AppData\Local\Temp\0c1046109bef3e5a61721484fbeab6cc4ea3564d51dbb2913a8d64255bbcf529.exe" 3881674 137728
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Program Files (x86)\VideoPRO\VideoPRO.exe
    "C:\Program Files (x86)\VideoPRO\VideoPRO.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Program Files (x86)\VideoPRO\VideoPRO.exe
    "C:\Program Files (x86)\VideoPRO\VideoPRO.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VideoPRO\VideoPRO.exe

Filesize
2.0MB

MD5
47dd709d2c6f950bc72b63a805f72ab8

SHA1
70c24be2964e296e5f9b819b9858a7e3d9e10d2a

SHA256
32088e2308c2dcf36890aaa55cad042690a373856801ceaa9df936550d3baab3

SHA512
adb8911ee67a942c4eec2640ac464d71401785c7376c4e3c4ed4f93d11bb4a573f1d0b2325ea238b47a661c16d4209ed89f11887843efad86f0549b26823b53f

Download Submit
C:\Program Files (x86)\VideoPRO\VideoPRO.exe

Filesize
2.0MB

MD5
47dd709d2c6f950bc72b63a805f72ab8

SHA1
70c24be2964e296e5f9b819b9858a7e3d9e10d2a

SHA256
32088e2308c2dcf36890aaa55cad042690a373856801ceaa9df936550d3baab3

SHA512
adb8911ee67a942c4eec2640ac464d71401785c7376c4e3c4ed4f93d11bb4a573f1d0b2325ea238b47a661c16d4209ed89f11887843efad86f0549b26823b53f

Download Submit
C:\Program Files (x86)\VideoPRO\VideoPRO.exe

Filesize
2.0MB

MD5
47dd709d2c6f950bc72b63a805f72ab8

SHA1
70c24be2964e296e5f9b819b9858a7e3d9e10d2a

SHA256
32088e2308c2dcf36890aaa55cad042690a373856801ceaa9df936550d3baab3

SHA512
adb8911ee67a942c4eec2640ac464d71401785c7376c4e3c4ed4f93d11bb4a573f1d0b2325ea238b47a661c16d4209ed89f11887843efad86f0549b26823b53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2QQCV.tmp\is-ONVDP.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2QQCV.tmp\is-ONVDP.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AEMUU.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AEMUU.tmp\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AEMUU.tmp\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
memory/1352-7-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1352-94-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1352-92-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2436-82-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2436-87-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2436-86-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2436-84-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2592-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2592-91-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-95-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-118-0x0000000000970000-0x0000000000A1A000-memory.dmp

Filesize
680KB

Download
memory/3268-96-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-99-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-102-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-105-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-108-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-111-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-112-0x0000000000970000-0x0000000000A1A000-memory.dmp

Filesize
680KB

Download
memory/3268-113-0x0000000000970000-0x0000000000A1A000-memory.dmp

Filesize
680KB

Download
memory/3268-117-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-90-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-121-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-124-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-127-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-130-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-133-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-134-0x0000000000970000-0x0000000000A1A000-memory.dmp

Filesize
680KB

Download
memory/3268-135-0x0000000000970000-0x0000000000A1A000-memory.dmp

Filesize
680KB

Download
memory/3268-139-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/3268-142-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing