44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
1789s
max time network
1808s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe
Size

2.0MB
MD5

7d3d04681922c50a4d7e716ebc2fd3a6
SHA1

8cdf195cf57a871e13fd67a9a9ac6dd836b9e958
SHA256

7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d
SHA512

65846e9852a967cca13de0e62f2d6c4489c84bd0e4857d68dbcef48dc4db7326e8fd8252bfb6bdf9fd780ad6059ff559bfb6df69e741a75a22ad14da6bc0c803
SSDEEP

24576:XN+lSpYnaceEGmmgqPpcfiBKs7qN9zg5MFkXgMkBH1n1yr6hw1R0D+UlVkG0lC99:XsaQe9DhyVu4wZkTn1yp0D5sS1HpV9F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

videoplugin.exe

pid process

2696 videoplugin.exe
Loads dropped DLL 1 IoCs

Processes:

7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe

pid process

2096 7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

668 schtasks.exe

pid	process
2696	videoplugin.exe

pid	process
2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe

pid	process
668	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exevideoplugin.exe

description	pid	process
Token: SeDebugPrivilege	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe
Token: SeDebugPrivilege	2696	videoplugin.exe
Token: 33	2696	videoplugin.exe
Token: SeIncBasePriorityPrivilege	2696	videoplugin.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exevideoplugin.exe

description	pid	process	target process
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2096 wrote to memory of 2696	2096	7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe	videoplugin.exe
PID 2696 wrote to memory of 1276	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 1276	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 1276	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 1276	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 668	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 668	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 668	2696	videoplugin.exe	schtasks.exe
PID 2696 wrote to memory of 668	2696	videoplugin.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe
"C:\Users\Admin\AppData\Local\Temp\7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Roaming\Drive Manager Support\videoplugin.exe
  "C:\Users\Admin\AppData\Roaming\Drive Manager Support\videoplugin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\827123023.xml"
    3⤵
    - Creates scheduled task(s)
    PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\827123023.xml

Filesize
1KB

MD5
eb26ef14851563d43ed0a47f3c7279f6

SHA1
5bc0baf0725d3be5da415369d0f2398c0409bb1b

SHA256
43b5eb0ac0b2d1d8b15c37a2f27056d73ff5c9124ae34fd0c92f8ecb0751ace8

SHA512
e4b1522803dd6ead16c5d6cd919e3f67b47c87b8cfb5419f1a46caa077383440f9ec91c09c4a33bd8806ff5b60d5f7ff024a4d7628fc47f4d3d453a2992af1b1

Download Submit
\Users\Admin\AppData\Roaming\Drive Manager Support\videoplugin.exe

Filesize
2.0MB

MD5
7d3d04681922c50a4d7e716ebc2fd3a6

SHA1
8cdf195cf57a871e13fd67a9a9ac6dd836b9e958

SHA256
7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d

SHA512
65846e9852a967cca13de0e62f2d6c4489c84bd0e4857d68dbcef48dc4db7326e8fd8252bfb6bdf9fd780ad6059ff559bfb6df69e741a75a22ad14da6bc0c803

Download Submit
memory/2096-12-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2096-3-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2096-4-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/2096-2-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/2096-0-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2096-1-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-14-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/2696-13-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-15-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-18-0x0000000074510000-0x0000000074ABB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-19-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download