a80493dc9447905331dbae9e82b43829a3ec91ae5e84f153717caf101fa8252e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vcodec.exe
Size

17KB
MD5

45555252350271fb0d196aa9225f1632
SHA1

e8eea8cf8c23ed0194dde6252e958cf731689f0c
SHA256

c4e29183a4f3841431efa073ad07c073da8eee0ceb7002be12d6e3ae0a5238bc
SHA512

4bdb580d8584b9e836356c11557167650482ff2964d0e5eff4d25240c35920028ee59fd6fca315228859717761fe6156f0d53c6698294e60f6adf138ba37c5c5
SSDEEP

384:+OZgLkjxvVuCuZuCY8eVy0hQiUgLHekO0tXkdqZ8pOOpm9IJBQYb8:+wPjneY810b/CkO0Nk8Z2OOpmKBQYb8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	vcodec.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	mscornet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscornet.exe	vcodec.exe
File created	C:\Windows\SysWOW64\ld52F2.tmp	mscornet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	mscornet.exe
2152	mscornet.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	vcodec.exe
Token: SeIncBasePriorityPrivilege	4564	vcodec.exe
Token: SeDebugPrivilege	2152	mscornet.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2152	4564	vcodec.exe	89
PID 4564 wrote to memory of 2152	4564	vcodec.exe	89
PID 4564 wrote to memory of 2152	4564	vcodec.exe	89
PID 2152 wrote to memory of 612	2152	mscornet.exe	3
PID 4564 wrote to memory of 2852	4564	vcodec.exe	90
PID 4564 wrote to memory of 2852	4564	vcodec.exe	90
PID 4564 wrote to memory of 2852	4564	vcodec.exe	90

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\vcodec.exe
"C:\Users\Admin\AppData\Local\Temp\vcodec.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\mscornet.exe
  C:\Windows\system32\mscornet.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\vcodec.exe > nul
  2⤵
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mscornet.exe

Filesize
14KB

MD5
b822a4882fa96fbd0c45db60cdcaae14

SHA1
17cf6ba010a864758a32704a58b11b893f78c4ac

SHA256
6c12a8bca37a2722ba7c56c3566dd971b0ce9508d9db7788cee20ee27776adf1

SHA512
a749f5c259e137a292efb616cc847b67cdb833247ccc53cfef8762cff52004429043d60dbefffa04bd58a1bfb5e47936be56490d807e3f6e6916fca717894613

Download Submit