18cd82e1fa5b74161598e85297887fa8400f4423f6b4dc0fa550d655c6f41b21

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DivXCodec682Beta1.exe
Size

3.2MB
MD5

8896e70cf81bb56c2e4ca045ad750a9b
SHA1

4921376ff84e6478ee7bc489b4ffbb3ab21f7976
SHA256

9299b91e3d978e274e6c2dbc020238d0761bf11e7ed7ccc2a8ddeb3c042fac3a
SHA512

02e35df04e10164b9016a60db76e20c2849dad191b7c38bf5576efa516ad0ec31524f791818a5bb6e7a5aec09a1dfbb622d72359ef4a222cc7a80a0a3b485f32
SSDEEP

49152:H8rmj6HKpY4mMM8PAYOGGU+vwwyW4iC3P8qHdKb8aT85+hTUF6PKgP6Uy:HqmKK5jM8PgG2IwYTHdKb8aTU5FF5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2596	DivXComponent.exe
2912	DivXConnectionTester.exe

Loads dropped DLL 9 IoCs

pid	Process
2000	DivXCodec682Beta1.exe
2000	DivXCodec682Beta1.exe
2000	DivXCodec682Beta1.exe
2000	DivXCodec682Beta1.exe
2912	DivXConnectionTester.exe
2912	DivXConnectionTester.exe
2912	DivXConnectionTester.exe
2912	DivXConnectionTester.exe
2912	DivXConnectionTester.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe
2596	DivXComponent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2912	DivXConnectionTester.exe
Token: SeBackupPrivilege	2912	DivXConnectionTester.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2596	2000	DivXCodec682Beta1.exe	2
PID 2000 wrote to memory of 2596	2000	DivXCodec682Beta1.exe	2
PID 2000 wrote to memory of 2596	2000	DivXCodec682Beta1.exe	2
PID 2000 wrote to memory of 2596	2000	DivXCodec682Beta1.exe	2
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1
PID 2000 wrote to memory of 2912	2000	DivXCodec682Beta1.exe	1

C:\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\DivXConnectionTester.exe
"C:\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\DivXConnectionTester.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\DivXComponent.exe
C:\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\DivXComponent.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Users\Admin\AppData\Local\Temp\DivXCodec682Beta1.exe
"C:\Users\Admin\AppData\Local\Temp\DivXCodec682Beta1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd6DA2.tmp\ConnectionTester.dll

Filesize
92KB

MD5
c0d23f9dd2f29b0ab20f2005b29b6a12

SHA1
412b1ff53c9d5d390d344787541450e091ea502b

SHA256
fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6

SHA512
75986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6DA2.tmp\System.dll

Filesize
10KB

MD5
ed228603bf5d6ba382b59274dba35a0a

SHA1
037d40e0399902b5119d48995dfd2e96bc6de9a4

SHA256
a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

SHA512
9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\DivXComponent.exe

Filesize
253KB

MD5
765da8afd2f9f75a3d39f35d79772443

SHA1
49531fb01d41f6af3fe31f67e58a75e1f7dcb584

SHA256
d1f0137cf37774adb2453eda1b15ead9f7c5a417af1269077d422ec4791fbdc5

SHA512
87c4299e40f292091e47a2171f8d335f2fb4587a73dd7c2722684854cab4cd35e4327ed065ab3eeb284f1ea9aefda6a5a7c606fb376d39cee891e0765637e457

Download Submit
\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\DivXConnectionTester.exe

Filesize
80KB

MD5
d1b411fc28aa7839bb236febc0950c96

SHA1
58c65d6501c16cb57cc7254d4292e6fd9deba2bb

SHA256
d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b

SHA512
be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee

Download Submit
\Users\Admin\AppData\Local\Temp\nso6C5C.tmp\LangDLL.dll

Filesize
5KB

MD5
6e78b62a574b8ef6fe3ad1ccbd46e327

SHA1
1b7b1edbbf39136cf36aa6198986a00a66b674d2

SHA256
b7f02b15889971b80f3f9debd62ba7428e93d51b34239489e1bb899be446f28e

SHA512
c7b77d68f821c0bd6943f1fcea5939d19ef07633e8b8b01383036669cdf89c52b4fd8a6a3197306a0f3ad52439beeb8d2afc29f2fa8bfeceb7942fd92daee17b

Download Submit
memory/2912-32-0x0000000000540000-0x0000000000559000-memory.dmp

Filesize
100KB

Download