e3325199c2bb2c7a83fb397f95a837bb3a5641d5d71f9785b22321e260ae09db

General

Target

dfa checker beta test.rar
Size

376KB
MD5

2f8eee61f81b562b9bf975ee0bda706e
SHA1

f739a8f38ff33aaf8652e8b5dad296c8111074fe
SHA256

e3325199c2bb2c7a83fb397f95a837bb3a5641d5d71f9785b22321e260ae09db
SHA512

217f2344117a728ef009e4efa712856d8e0f26551991ec7e767f14304f2c2f7c1dcaa957926a6a96268a8ed36eb2a7bc415be382c9590bbcf35a6a0eea597c58
SSDEEP

6144:XYQj2EzpYBjC2rx+RqXYbe6Vhw3H9mFqwK7zNQuzTEP8eSpwB7Wnq8:orEzpYoNsYbzVhw3HIFqwgZwPvMwhWnR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2532	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	vlc.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe
2532	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	vlc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2944	1712	cmd.exe	32
PID 1712 wrote to memory of 2944	1712	cmd.exe	32
PID 1712 wrote to memory of 2944	1712	cmd.exe	32
PID 2944 wrote to memory of 2696	2944	rundll32.exe	33
PID 2944 wrote to memory of 2696	2944	rundll32.exe	33
PID 2944 wrote to memory of 2696	2944	rundll32.exe	33
PID 2696 wrote to memory of 2532	2696	rundll32.exe	35
PID 2696 wrote to memory of 2532	2696	rundll32.exe	35
PID 2696 wrote to memory of 2532	2696	rundll32.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\dfa checker beta test.rar"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
103B

MD5
68dda32d6af3f2d567054d29dbb8efbd

SHA1
9f905ce16afa295c37ebf47df7b339b87ddfa354

SHA256
92b2342d8738dc6f9987b6691a1cdadda51b0e022113039f0024f84fd8f61e4c

SHA512
2639e4a4576b80a3ae8f3a78c8f8f392e5376271f34609829827aed28e97948eb46712067ba0724f9f9a840077d81eb0e67d025976d68fb59e2cb1e4a3531ac3

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
98e27c03548a0eabeae5607420d8bff9

SHA1
8082bae775983521fb41ea4c1b9b6ea28ec07e94

SHA256
d853a549a89014d54e60d9785be5588f070d63ba8af6f8538810f75f661506a5

SHA512
ae2e2505dd1c1a87a68bb442a6367d1bd85a8ebff2b55157255eeda786243695d20c48d9053e6a852f0eb9d9f5921c191b7068a818854293ce8b7edc45f5bbb3

Download Submit
memory/2532-57-0x000007FEF5130000-0x000007FEF5164000-memory.dmp

Filesize
208KB

Download
memory/2532-56-0x000000013F830000-0x000000013F928000-memory.dmp

Filesize
992KB

Download
memory/2532-59-0x000007FEFAA80000-0x000007FEFAA98000-memory.dmp

Filesize
96KB

Download
memory/2532-60-0x000007FEF69F0000-0x000007FEF6A07000-memory.dmp

Filesize
92KB

Download
memory/2532-61-0x000007FEF6310000-0x000007FEF6321000-memory.dmp

Filesize
68KB

Download
memory/2532-62-0x000007FEF4D20000-0x000007FEF4D37000-memory.dmp

Filesize
92KB

Download
memory/2532-63-0x000007FEF4D00000-0x000007FEF4D11000-memory.dmp

Filesize
68KB

Download
memory/2532-64-0x000007FEF4CE0000-0x000007FEF4CFD000-memory.dmp

Filesize
116KB

Download
memory/2532-65-0x000007FEF4CC0000-0x000007FEF4CD1000-memory.dmp

Filesize
68KB

Download
memory/2532-58-0x000007FEF4E70000-0x000007FEF5126000-memory.dmp

Filesize
2.7MB

Download
memory/2532-66-0x000007FEF4AB0000-0x000007FEF4CBB000-memory.dmp

Filesize
2.0MB

Download
memory/2532-73-0x000007FEF39B0000-0x000007FEF39F1000-memory.dmp

Filesize
260KB

Download
memory/2532-75-0x000007FEF3960000-0x000007FEF3978000-memory.dmp

Filesize
96KB

Download
memory/2532-77-0x000007FEF3920000-0x000007FEF3931000-memory.dmp

Filesize
68KB

Download
memory/2532-79-0x000007FEF38E0000-0x000007FEF38FB000-memory.dmp

Filesize
108KB

Download
memory/2532-78-0x000007FEF3900000-0x000007FEF3911000-memory.dmp

Filesize
68KB

Download
memory/2532-76-0x000007FEF3940000-0x000007FEF3951000-memory.dmp

Filesize
68KB

Download
memory/2532-80-0x000007FEF38C0000-0x000007FEF38D1000-memory.dmp

Filesize
68KB

Download
memory/2532-74-0x000007FEF3980000-0x000007FEF39A1000-memory.dmp

Filesize
132KB

Download
memory/2532-81-0x000007FEF38A0000-0x000007FEF38B8000-memory.dmp

Filesize
96KB

Download
memory/2532-82-0x000007FEF3870000-0x000007FEF38A0000-memory.dmp

Filesize
192KB

Download
memory/2532-85-0x000007FEF3760000-0x000007FEF3771000-memory.dmp

Filesize
68KB

Download
memory/2532-86-0x000007FEF3700000-0x000007FEF3757000-memory.dmp

Filesize
348KB

Download
memory/2532-87-0x000007FEF36D0000-0x000007FEF36F8000-memory.dmp

Filesize
160KB

Download
memory/2532-84-0x000007FEF3780000-0x000007FEF37FC000-memory.dmp

Filesize
496KB

Download
memory/2532-90-0x000007FEF3650000-0x000007FEF3673000-memory.dmp

Filesize
140KB

Download
memory/2532-92-0x000007FEF3610000-0x000007FEF3622000-memory.dmp

Filesize
72KB

Download
memory/2532-91-0x000007FEF3630000-0x000007FEF3641000-memory.dmp

Filesize
68KB

Download
memory/2532-67-0x000007FEF3A00000-0x000007FEF4AB0000-memory.dmp

Filesize
16.7MB

Download
memory/2532-89-0x000007FEF3680000-0x000007FEF3698000-memory.dmp

Filesize
96KB

Download
memory/2532-88-0x000007FEF36A0000-0x000007FEF36C4000-memory.dmp

Filesize
144KB

Download
memory/2532-83-0x000007FEF3800000-0x000007FEF3867000-memory.dmp

Filesize
412KB

Download
memory/2532-95-0x000007FEF4E70000-0x000007FEF5126000-memory.dmp

Filesize
2.7MB

Download
memory/2532-104-0x000007FEF3A00000-0x000007FEF4AB0000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing