e2b6c61998bc569a11863097cdfc06e892d477f2e312f6d28c90a9383a207a21

General

Target

FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe
Size

993KB
MD5

703dc7e738a27f02121af311c981b976
SHA1

c44fa3e35d25020667a27d9895079d2cb396f1dd
SHA256

e2b6c61998bc569a11863097cdfc06e892d477f2e312f6d28c90a9383a207a21
SHA512

e4bbde5f8774b15c44aaf4619b5b3eac7115c2994c93151c6d4dfc0c03232d30246e5f763aac89bef6cbf3f9b30d494b450ffb96ab3f975499bd14a854547f27
SSDEEP

12288:YSxG0wgUF888888888888W88888888888V32izEabYenR5TyeaDvsvXBIJ3HW05L:nxGxvhko5TyeWvsvXB+3HI1Vsr3V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp

Loads dropped DLL 3 IoCs

pid	Process
3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp
3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp
3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3980	2240	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe	90
PID 2240 wrote to memory of 3980	2240	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe	90
PID 2240 wrote to memory of 3980	2240	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe	90
PID 3980 wrote to memory of 3356	3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp	91
PID 3980 wrote to memory of 3356	3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp	91
PID 3980 wrote to memory of 3356	3980	FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp	91

C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe
"C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\is-TBIQV.tmp\FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TBIQV.tmp\FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp" /SL5="$A003E,492653,402432,C:\Users\Admin\AppData\Local\Temp\FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C "ver > "C:\Users\Admin\AppData\Local\Temp\is-QSS8N.tmp\~execwithresult.txt""
    3⤵
    PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-QSS8N.tmp\freemake_dl.dll

Filesize
131KB

MD5
af56804db5beb8ac95199798f54f461b

SHA1
6065bc502b623deda68d17f6b7b1aa470bd5c42d

SHA256
6524c505e4c2b74dbb3c9470abaa4a09a71931cd973a74a5c54926537c2d26cb

SHA512
5bdd0f72cb0ff639ed806894800791bdd611c280624d3da5a3048727ec4466b3e3fe8e1f5f0748ae6cf1d84524001a24fcd7258aec41242d6b113552c83f5686

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSS8N.tmp\itdownload.dll

Filesize
77KB

MD5
b4efe1200f09cbf02f0d2ae326a84f3b

SHA1
83102a7f5465a14c78d04ca6d8703c68a5c599ce

SHA256
6bd9984dd28ce8cc13e8eb3b5ee9f6c8a6967e3b2288918665e2ae67fa1eb56b

SHA512
14c83df5ca8ce92efddb07bda1c6fff9cfbbfb1348ff6c2e6b523110bb1fd10023e09986bc7967824a5cf37789080d81f2a5deedc3df3925825f73e2a87b52a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QSS8N.tmp\~execwithresult.txt

Filesize
47B

MD5
1a1ea0c1a7df5f91ecd62cda837a3273

SHA1
f358bcfc14b04949db83e04c4e181f526b3fc5f3

SHA256
9fea0616868155973e2b5ca5d1524359e47916e8aee14dfad123b533c737ee76

SHA512
666a013157c5544ef7ebad000d6a5e0f2b4020bb7e7d8792880b7c35c662b1c710e25a8893f75b8599cba5bb934c18f91a689f0f24c53b287e601475b1ae9f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TBIQV.tmp\FreemakeVideoConverterSetup_0712ab07-b646-faeb-d405-80360bd41b22.tmp

Filesize
1.4MB

MD5
14f5c8abebd8e51360030d1ae3137669

SHA1
1c72106cc170fe5b2bd20b9e59584af989fff486

SHA256
c9ba417f020aef7547038326d6892d1b4967634c7bb7068ed6498e8256546d46

SHA512
d575db9a4aac597751ccc5a524a8f5972298786c5f17713fc4072f2a84c0a7cade8e442c3737fb9e8879d5cd403788a638fe59821eb390b5d85e50fd9886ba32

Download Submit
memory/2240-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2240-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2240-8-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3980-7-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3980-17-0x00000000026C0000-0x00000000026D8000-memory.dmp

Filesize
96KB

Download
memory/3980-27-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3980-28-0x00000000026C0000-0x00000000026D8000-memory.dmp

Filesize
96KB

Download
memory/3980-30-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing