e6079b8dc9e8c870fbb23866446f52a94ec5ffdf49e86659223a0e2b7e5cdf7d

General

Target

2736-28-0x0000000000400000-0x0000000000442000-memory.exe
Size

264KB
MD5

77df8c2b9639878473b3c24ff2c566c6
SHA1

70bea44f11f4aac7a4053af7b6556a27925a8791
SHA256

e6079b8dc9e8c870fbb23866446f52a94ec5ffdf49e86659223a0e2b7e5cdf7d
SHA512

993e7a0ebbd82f6601becfb0246e7ab6ef0ac041935960f9a54aa14e93c955590815a633e45d663b6078cb323d87637df0ed60e67b55ef0321df70a868a74b8b
SSDEEP

3072:6xkscLyr1+IqiRuMHax13Y/390x95VJ5qUWxByEd:6xkscLyrlqG2kl0x9jQxA

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1404 4960 WerFault.exe 2736-28-0x0000000000400000-0x0000000000442000-memory.exe

pid	pid_target	process	target process
1404	4960	WerFault.exe	2736-28-0x0000000000400000-0x0000000000442000-memory.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings OpenWith.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

vlc.exevlc.exePOWERPNT.EXE

pid process

3484 vlc.exe
4512 vlc.exe
1816 POWERPNT.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

3484 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

vlc.exevlc.exe

pid	process
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

vlc.exevlc.exe

pid	process
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
3484	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe
4512	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

OpenWith.exevlc.exevlc.exePOWERPNT.EXE

pid process

3792 OpenWith.exe
3484 vlc.exe
4512 vlc.exe
1816 POWERPNT.EXE
1816 POWERPNT.EXE
1816 POWERPNT.EXE
1816 POWERPNT.EXE

pid	process
3792	OpenWith.exe
3484	vlc.exe
4512	vlc.exe
1816	POWERPNT.EXE
1816	POWERPNT.EXE
1816	POWERPNT.EXE
1816	POWERPNT.EXE

C:\Users\Admin\AppData\Local\Temp\2736-28-0x0000000000400000-0x0000000000442000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2736-28-0x0000000000400000-0x0000000000442000-memory.exe"
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 8
2⤵
- Program crash
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4960 -ip 4960
1⤵
PID:1288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RedoRead.aiff"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExpandDeny.mpeg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\JoinEnable.potm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
75B

MD5
12f9bcaf7a45d41c470fa851736ae5d4

SHA1
8e02d64e6a90f56afe87995b40fa924ece46b5c4

SHA256
5f575128db61f8c589f0835554849ba93cb3407046594718ebb6e46f699d32ff

SHA512
0b72efad1c09639763fda1f1971cf3c56c54a5cde06b1d68d9765bcf5a9c4b5024daeab04f9d8d0dcbf3e219bb5bb77ed1d40e50ba57668b8127b221f4c86423

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
523B

MD5
1c45f592ee3eca33795d86e971f413f5

SHA1
95bfc65fb4207b50aad806862454eee3c7a6ff05

SHA256
e55d44eb84d338376569f864017e0803abe6bc5db81498d4bd04a37650dc1c86

SHA512
d3d2e60f475b31b8f78f18c6ad9d45aedd8ae3dbb6c54c3a9d96e8ea3ce2e3278db38ceed921fe11db18c2c34f6b76bf33a5da9a92cfeba26b7b04705fdb1d44

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc
Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
memory/1816-70-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-508-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-527-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-62-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-63-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-78-0x00007FF908BC0000-0x00007FF908C7D000-memory.dmp

Filesize
756KB

Download
memory/1816-77-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-76-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-75-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-74-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-54-0x00007FF8CA7B0000-0x00007FF8CA7C0000-memory.dmp

Filesize
64KB

Download
memory/1816-56-0x00007FF8CA7B0000-0x00007FF8CA7C0000-memory.dmp

Filesize
64KB

Download
memory/1816-55-0x00007FF8CA7B0000-0x00007FF8CA7C0000-memory.dmp

Filesize
64KB

Download
memory/1816-57-0x00007FF8CA7B0000-0x00007FF8CA7C0000-memory.dmp

Filesize
64KB

Download
memory/1816-59-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-58-0x00007FF8CA7B0000-0x00007FF8CA7C0000-memory.dmp

Filesize
64KB

Download
memory/1816-60-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-61-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-73-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-72-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-66-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-65-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-64-0x00007FF8C7EC0000-0x00007FF8C7ED0000-memory.dmp

Filesize
64KB

Download
memory/1816-68-0x00007FF8C7EC0000-0x00007FF8C7ED0000-memory.dmp

Filesize
64KB

Download
memory/1816-69-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-67-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/1816-71-0x00007FF90A720000-0x00007FF90A929000-memory.dmp

Filesize
2.0MB

Download
memory/3484-23-0x00007FF649410000-0x00007FF649508000-memory.dmp

Filesize
992KB

Download
memory/3484-26-0x00007FF8E8900000-0x00007FF8E99B0000-memory.dmp

Filesize
16.7MB

Download
memory/3484-25-0x00007FF8FB250000-0x00007FF8FB506000-memory.dmp

Filesize
2.7MB

Download
memory/3484-24-0x00007FF8FB780000-0x00007FF8FB7B4000-memory.dmp

Filesize
208KB

Download
memory/3484-27-0x00007FF8E8010000-0x00007FF8E811E000-memory.dmp

Filesize
1.1MB

Download
memory/4512-53-0x00007FF8E7D80000-0x00007FF8E8E30000-memory.dmp

Filesize
16.7MB

Download
memory/4512-52-0x00007FF8E8E90000-0x00007FF8E8F9E000-memory.dmp

Filesize
1.1MB

Download
memory/4512-51-0x00007FF8E9560000-0x00007FF8E9816000-memory.dmp

Filesize
2.7MB

Download
memory/4512-50-0x00007FF8FB100000-0x00007FF8FB134000-memory.dmp

Filesize
208KB

Download
memory/4512-49-0x00007FF649410000-0x00007FF649508000-memory.dmp

Filesize
992KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads