8d552cc759fb010e6a6fffd0b9210e7c1ad608d74db3b212e68e16b7fb4c3cba

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/03/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FILMORA 13 [LATEST].exe
Size

841KB
MD5

cd1906c7863d47729b0e67f618c416f8
SHA1

b477551537909240af8cd5ab92c1b10668ae9b6b
SHA256

8d552cc759fb010e6a6fffd0b9210e7c1ad608d74db3b212e68e16b7fb4c3cba
SHA512

c3a4c18d10711b2ffd71a4ef6b1f9977c98c3e3e5d63d16977c1e7cd32b0c0f1c02a83ae69af6f12fe9e415afb8ad062a428d3a7a28b0d5650d35923549369e1
SSDEEP

12288:MTmVRdJlYb5EQ8MzHRSwm9e9IjDxIMGy2o6+ceSrhLPRvwYu9GkZuVCUT47TALs5:MoPzybReDao6Pt1RYYMGwmCUT47sQ12y

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2564 created 1192	2564	Conventional.pif	21

Executes dropped EXE 2 IoCs

pid	Process
2564	Conventional.pif
2468	Conventional.pif

Loads dropped DLL 2 IoCs

pid	Process
2804	cmd.exe
2564	Conventional.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2468	2564	Conventional.pif	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2544	tasklist.exe
2672	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2508	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2564	Conventional.pif
2564	Conventional.pif
2564	Conventional.pif
2564	Conventional.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	tasklist.exe
Token: SeDebugPrivilege	2672	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2564	Conventional.pif
2564	Conventional.pif
2564	Conventional.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2564	Conventional.pif
2564	Conventional.pif
2564	Conventional.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2804	1184	FILMORA 13 [LATEST].exe	29
PID 1184 wrote to memory of 2804	1184	FILMORA 13 [LATEST].exe	29
PID 1184 wrote to memory of 2804	1184	FILMORA 13 [LATEST].exe	29
PID 1184 wrote to memory of 2804	1184	FILMORA 13 [LATEST].exe	29
PID 2804 wrote to memory of 2544	2804	cmd.exe	31
PID 2804 wrote to memory of 2544	2804	cmd.exe	31
PID 2804 wrote to memory of 2544	2804	cmd.exe	31
PID 2804 wrote to memory of 2544	2804	cmd.exe	31
PID 2804 wrote to memory of 2592	2804	cmd.exe	32
PID 2804 wrote to memory of 2592	2804	cmd.exe	32
PID 2804 wrote to memory of 2592	2804	cmd.exe	32
PID 2804 wrote to memory of 2592	2804	cmd.exe	32
PID 2804 wrote to memory of 2672	2804	cmd.exe	34
PID 2804 wrote to memory of 2672	2804	cmd.exe	34
PID 2804 wrote to memory of 2672	2804	cmd.exe	34
PID 2804 wrote to memory of 2672	2804	cmd.exe	34
PID 2804 wrote to memory of 2556	2804	cmd.exe	35
PID 2804 wrote to memory of 2556	2804	cmd.exe	35
PID 2804 wrote to memory of 2556	2804	cmd.exe	35
PID 2804 wrote to memory of 2556	2804	cmd.exe	35
PID 2804 wrote to memory of 2656	2804	cmd.exe	36
PID 2804 wrote to memory of 2656	2804	cmd.exe	36
PID 2804 wrote to memory of 2656	2804	cmd.exe	36
PID 2804 wrote to memory of 2656	2804	cmd.exe	36
PID 2804 wrote to memory of 2496	2804	cmd.exe	37
PID 2804 wrote to memory of 2496	2804	cmd.exe	37
PID 2804 wrote to memory of 2496	2804	cmd.exe	37
PID 2804 wrote to memory of 2496	2804	cmd.exe	37
PID 2804 wrote to memory of 2828	2804	cmd.exe	38
PID 2804 wrote to memory of 2828	2804	cmd.exe	38
PID 2804 wrote to memory of 2828	2804	cmd.exe	38
PID 2804 wrote to memory of 2828	2804	cmd.exe	38
PID 2804 wrote to memory of 2564	2804	cmd.exe	39
PID 2804 wrote to memory of 2564	2804	cmd.exe	39
PID 2804 wrote to memory of 2564	2804	cmd.exe	39
PID 2804 wrote to memory of 2564	2804	cmd.exe	39
PID 2804 wrote to memory of 2508	2804	cmd.exe	40
PID 2804 wrote to memory of 2508	2804	cmd.exe	40
PID 2804 wrote to memory of 2508	2804	cmd.exe	40
PID 2804 wrote to memory of 2508	2804	cmd.exe	40
PID 2564 wrote to memory of 2468	2564	Conventional.pif	41
PID 2564 wrote to memory of 2468	2564	Conventional.pif	41
PID 2564 wrote to memory of 2468	2564	Conventional.pif	41
PID 2564 wrote to memory of 2468	2564	Conventional.pif	41
PID 2564 wrote to memory of 2468	2564	Conventional.pif	41
PID 2564 wrote to memory of 2468	2564	Conventional.pif	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\FILMORA 13 [LATEST].exe
  "C:\Users\Admin\AppData\Local\Temp\FILMORA 13 [LATEST].exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Jazz Jazz.bat & Jazz.bat & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2672
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 10776
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Projects + Makers + Producers + Mexico + Appliance 10776\Conventional.pif
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Promotions + Dollars + Transition 10776\W
      4⤵
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10776\Conventional.pif
      10776\Conventional.pif 10776\W
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2564
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2508
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10776\Conventional.pif
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10776\Conventional.pif
  2⤵
  - Executes dropped EXE
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10776\W

Filesize
595KB

MD5
0451b84e177975f235961a36d679c34f

SHA1
285b96964b70f23e54b5f4fc6f80bdc3c038cf50

SHA256
d9323feddda7bccdff87a7006138ed2ac8d966408d6daf07ae7ef8ce5c9365fa

SHA512
0b6e0f3f6b4ab560e7970f73987573033a1c79fa6ac2a5242d7f391636dd935af09e1d8d4c463ffb7e10715e1bb97c44d89d5baaf0efc3511de5e5c711c8888c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appliance

Filesize
124KB

MD5
fd27be119556d6ea8774a72b62997f47

SHA1
df7d3d657ff449bfddc034fe5b637f7d054b2a48

SHA256
df6a3c9ee84f766bbbb1ca3def54b7dcd24c2d1e88774a6162c277df126cf09c

SHA512
114bda917fb7ce012a8cb7299a29830fb0c7179cac749f0d0602ed0b9acc5494f5d92687f0825610925d111087b0010d03efa346d4f9ad395dc3108e61112cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dollars

Filesize
267KB

MD5
3300545b635ddbec733a4e9827e15d9b

SHA1
a730338bc5a9d36a2ff3b27b05cd2b4742ceea13

SHA256
20892b4e9f73c2bf6d2c596b9d00be0c679f3daaf5da71eccfdacfbaae7a747b

SHA512
a4b5a52c9a90e4707aff16d899680b24d792fb586ec34b481f43174d052c771f6b193150e028277dba4b72514e80db9d3059df70484489accde2173aef8bd0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Jazz

Filesize
11KB

MD5
7cf4eb8d80dda0cc8e0bdf7cb242091e

SHA1
f292e582e9222899a895360dd3f165a01bfa72b0

SHA256
29c20d9435ec8640e7f57233f43c9356b37a05fb6c4b29938dac755d48ed8070

SHA512
f1eaa0050c3764ef7ec647d9e43a1f8695261a31499f57e76993e5f246772a206d270cf6b0d4b1d66dd97d0e29911b35b2a1381e6d7c488c2ba78194ba1267da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Makers

Filesize
157KB

MD5
324167d21fdb1415be17242b3f628991

SHA1
d2b6155e158fa6ae645cc1df90d4dc4f9ca5b754

SHA256
1a24f30941fd6748dee61c27e76dc9d0944a06c50fbfd1e1e7c0dee2f2d312d7

SHA512
1605ed990fa57f645ace09c154ca81e78048d7cba96cb91ba1d41ee104b43fc7f49ffec9a12cda3ae74fe27c967f78d09e01581dbb7489b19bfa50efdc0b0ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mexico

Filesize
260KB

MD5
70ab199475e2f54fac1050f34e1f6dd5

SHA1
e95dd15e1108ae2eab02c5c7f5dfd2dc49c5eb6e

SHA256
9d7c1993006ef27f7d46abcadb213118364f40238e42122115b88bd831ba99b4

SHA512
6837371e6f29d0556ec315ebbe92d763a14e20c48a53a6369288616d405b2590d66fa6d81557186e681037342ae14864af410feb2c2ed21f9c8c94a9a629ad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Producers

Filesize
199KB

MD5
411848bec112c50bf158289496479e46

SHA1
aa09fc72d0b2ea84d5164c3f804f30d5eb46245b

SHA256
4eca2017d72de2235c7f72a8b638da746b02057980ff3008b8e1facfb75ff53e

SHA512
764e507ef2fe6ee3d5cd990c35d2fb5c54a4c5605441648eeccb53cdf212a216a4dd8f965fec04fa575fbc6619647de2155a2f8683e7ea91f89850fffc3f96cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Projects

Filesize
184KB

MD5
1538ce51b0a02ec4e04c8e3cb53020cb

SHA1
4e7f8e619f3ff05b330b386cbe44a64c319a347a

SHA256
bb74ba920a49685ff1b366c38f59a41c8b5a9749062febd08a4927cf08c68b7a

SHA512
9461542339f269e5da6d138cb5a044fd98505a3579e6898830d5eae6aff3c894112c2731b766fdd3b2fb484ab4def2dfc4f051b659671d3e10a33c24998fc3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Promotions

Filesize
220KB

MD5
58a9e1be12c510b6dd8258ac643f7417

SHA1
d5f8fe827825d1a27e2fa1e0a52d88901c5a0a77

SHA256
49e968f090b436408803d98779a38f95c9f8048c772b51e8e4084b8bb93c435b

SHA512
5c8d095ae81fadb90ea524aac62b34aea6efaed4020ceb7ba13aba070b2593b19aabfce54b33f9c5820421cb5af1dfbcc65927f3d241844becd1a0d6bcc16bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Transition

Filesize
108KB

MD5
af5669d347e8b5f17879b7c6ad248912

SHA1
08b87792572f914ad8e3b349bcc42a630970d91a

SHA256
0b3c02f2feeab42c6479bde859c034e16fa60a3a391c964d7f5e9d3bd6988799

SHA512
83aa191315b99f35be6ea49a6f0b076b891d02415a2c78ce38c6d1c6dd267c4c445bac808427551e0e5e85352d0a729c6b8cdc114bbc1f6fe91ea0445dbf2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10776\Conventional.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/2564-33-0x0000000076EB0000-0x0000000076F86000-memory.dmp

Filesize
856KB

Download
memory/2564-34-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download