cdc42d582dcfc216e12fd59853ed4d26affbc1a5615d5a578872f674272dd80f

Analysis

max time kernel
79s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 03:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.17033.29620.exe
Size

4.7MB
MD5

a143e23435905aaee78cca98f920b419
SHA1

32f33d44b67f41e438dbb81568f3cc0c566318b8
SHA256

cdc42d582dcfc216e12fd59853ed4d26affbc1a5615d5a578872f674272dd80f
SHA512

7182fd24418be9ade21027a9cefa167c2d58cb23ad5ea834244d156894d9e18abd4c6fd1e0e1e53834d406fa6e58ca2013f0aa3cd97a3cb0111069d55c5bd73b
SSDEEP

98304:Q3mosrpRSHF9xN7hSYSmNNgl0+LP0d6UdDkXUymC5TBJvMwMgiCDhokKvk4dm8:csrpRoF9DXJNN6bL05ZkX9mC11Mhs9Kz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
808	vstorage-extension.exe
568	vstorage-extension.exe

Loads dropped DLL 3 IoCs

pid	Process
4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-1BC9M.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-MK705.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-AN3JH.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-0K8HV.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-KHHQI.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File opened for modification	C:\Program Files (x86)\Video Storage EXT\unins000.dat	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-TJ0QC.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-2TBDN.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-80N2F.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-M635T.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-236CS.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\plugins\internal\is-014KH.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-050TH.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-C7HQV.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-HRDH1.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-NREAP.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-HGVGP.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-1E1M9.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-KSVJQ.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-P0GR4.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File opened for modification	C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-88R8S.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-UEL3L.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-2F7LU.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-TULIU.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-N3414.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-T5DIC.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\stuff\is-SHK8J.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-PMBR8.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-1E0K3.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\stuff\is-AIBUJ.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\stuff\is-JQLBN.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\is-IV7IE.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-SF20J.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\lessmsi\is-CO7J7.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\plugins\internal\is-2EJMQ.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-A24NK.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\is-2ILIJ.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-ULHA7.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-MFHS4.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-E7D11.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-A1UGA.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-QTTIH.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-QSO5D.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-HEBI3.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-KU4V9.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-9DTBF.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\stuff\is-NA70F.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\unins000.dat	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-MLENO.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp
File created	C:\Program Files (x86)\Video Storage EXT\bin\x86\is-TG2UP.tmp	SecuriteInfo.com.FileRepMalware.17033.29620.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4244	2824	SecuriteInfo.com.FileRepMalware.17033.29620.exe	39
PID 2824 wrote to memory of 4244	2824	SecuriteInfo.com.FileRepMalware.17033.29620.exe	39
PID 2824 wrote to memory of 4244	2824	SecuriteInfo.com.FileRepMalware.17033.29620.exe	39
PID 4244 wrote to memory of 3336	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	91
PID 4244 wrote to memory of 3336	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	91
PID 4244 wrote to memory of 3336	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	91
PID 4244 wrote to memory of 808	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	94
PID 4244 wrote to memory of 808	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	94
PID 4244 wrote to memory of 808	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	94
PID 3336 wrote to memory of 4160	3336	net.exe	93
PID 3336 wrote to memory of 4160	3336	net.exe	93
PID 3336 wrote to memory of 4160	3336	net.exe	93
PID 4244 wrote to memory of 568	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	92
PID 4244 wrote to memory of 568	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	92
PID 4244 wrote to memory of 568	4244	SecuriteInfo.com.FileRepMalware.17033.29620.tmp	92

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.17033.29620.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.17033.29620.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\is-NPEB5.tmp\SecuriteInfo.com.FileRepMalware.17033.29620.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NPEB5.tmp\SecuriteInfo.com.FileRepMalware.17033.29620.tmp" /SL5="$40212,4622594,54272,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.17033.29620.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 31
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 31
      4⤵
      PID:4160
- - C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe
    "C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe" -s
    3⤵
    - Executes dropped EXE
    PID:568
- - C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe
    "C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe" -i
    3⤵
    - Executes dropped EXE
    PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe

Filesize
5KB

MD5
cebc5366f86e44a821bc39619ca46080

SHA1
57d5d725abe44f7edb8d8b4cacf8bc7d813df1bd

SHA256
7a5ba224bc99cd03ac5c49a044cb7aa81e2d2a904a7f08897221d6d9ead1b4f6

SHA512
683b23753272fe090507213da92912e9c3e20849af9811be848532eb67e950a5a26f689abb2630d89e639802a2d9e8824c88e710364ecc14b8ac14581bff950a

Download Submit
C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe

Filesize
21KB

MD5
bcf18951219a399626e3ad410bb54ab4

SHA1
286b539392354561fd5864333e4dc3106fa1ac0f

SHA256
0918c0a7f62e5263d9ab65cbb30e0a973accb375d487e22d80570f61333d61ff

SHA512
49f816714051ca36448ceb6c448ebd01cbd2c5a2519b10267232aa32769184acfb49b45cd4a3a68ec6e416b4ccbdce0c0450c003e371840645c7d9d6a5309278

Download Submit
C:\Program Files (x86)\Video Storage EXT\vstorage-extension.exe

Filesize
50KB

MD5
86e0428588ef1adfd8cd8c7edaf1310e

SHA1
848cd333c177ea413d9fff836fa9df8de18de27e

SHA256
0db0887f3f2d684a75ada07936e49cd39930fb9424370a7363956ccac6d2cdc5

SHA512
25fb10a0cf9194b6245810e8653ef204c7e7033618ed184088ebc86bc18d9ee6a9286d4c373ab5e295e28754ab5b318a78fd2dc2c4d421291ff3734ddf721bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I331P.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I331P.tmp\_isetup\_isdecmp.dll

Filesize
2KB

MD5
a28282056aed6b03457a9b16c5434770

SHA1
73a9d9279736aba2124010b3e078a8d4353b9e32

SHA256
c0c9bccdcc45846b3102755a87c233de6cd6700c95fab815672ed618c6275a35

SHA512
311ba570d562c515228196269266b54a7c785c637118276c12b1d8e707a2db14d47168385d8572990855f2fe7baae5fb60945082b414e3db6d60451b26a18fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I331P.tmp\_isetup\_isdecmp.dll

Filesize
6KB

MD5
eec4c933d4e7f0fd1a92a482004d750c

SHA1
1ced76db341f6a71dc6d5b7f90106092a5bc4cd7

SHA256
7a679de19dd29206dcaf83492fc0d009585fb3efc8ef073ba715185bdb79a06a

SHA512
5856b5e4505d705f6b63f1752a901814310a43c0bfa3b8bbc28574faeb50df61d58aba62b9b12f73153f5b2ae77d64f914b0bcbed202ae8d7f8b722248a2fec1

Download Submit
memory/568-162-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-166-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-184-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-133-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-181-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-176-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/568-177-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/568-175-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-172-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-169-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-136-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-131-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-141-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-140-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-144-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-147-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-150-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-154-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/568-153-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-159-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/568-163-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/808-124-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/808-129-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/808-128-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/808-125-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2824-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2824-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4244-137-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4244-135-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4244-6-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download