55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a

General

Target

55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe
Size

704KB
MD5

ebd36b9a994e3c0bb40ea575c8df95f8
SHA1

ee26e5d8ced7ec79ed28641eb39d020f6851efb2
SHA256

55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a
SHA512

84b697c1922c31d7a10061520183ce3bd94658c6de9985c99c272f1d41dedbd8e66da307a15ad553324657750cfe4b20878ba9cf549770fd5d2288f5aa0ee5c7
SSDEEP

12288:QIMy6/jhHvdQ+6+ec5V2PdM/Qxgd4qrR8zW3202is21uCCdnYbyFMI5w+3s5hnO3:FMyqBvdQ+6DaV2visOC2byCk3s5E14hA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4988	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4988	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1088	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1088	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe
4988	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	vlc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4988	1088	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe	88
PID 1088 wrote to memory of 4988	1088	55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe	88

C:\Users\Admin\AppData\Local\Temp\55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe
"C:\Users\Admin\AppData\Local\Temp\55bc45b779446728abed7a564fb7493518fb7b0e22ab07b916e77c811b71516a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\rickroll-roll.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4988-15-0x00007FFE8DEC0000-0x00007FFE8DEF4000-memory.dmp

Filesize
208KB

Download
memory/4988-14-0x00007FF785910000-0x00007FF785A08000-memory.dmp

Filesize
992KB

Download
memory/4988-16-0x00007FFE7E480000-0x00007FFE7E736000-memory.dmp

Filesize
2.7MB

Download
memory/4988-23-0x00007FFE8D2A0000-0x00007FFE8D2B1000-memory.dmp

Filesize
68KB

Download
memory/4988-24-0x00007FFE7E270000-0x00007FFE7E47B000-memory.dmp

Filesize
2.0MB

Download
memory/4988-22-0x00007FFE8D2C0000-0x00007FFE8D2DD000-memory.dmp

Filesize
116KB

Download
memory/4988-21-0x00007FFE8D2E0000-0x00007FFE8D2F1000-memory.dmp

Filesize
68KB

Download
memory/4988-20-0x00007FFE8DA10000-0x00007FFE8DA27000-memory.dmp

Filesize
92KB

Download
memory/4988-19-0x00007FFE8DE50000-0x00007FFE8DE61000-memory.dmp

Filesize
68KB

Download
memory/4988-18-0x00007FFE8DEA0000-0x00007FFE8DEB7000-memory.dmp

Filesize
92KB

Download
memory/4988-17-0x00007FFE97100000-0x00007FFE97118000-memory.dmp

Filesize
96KB

Download
memory/4988-31-0x00007FFE892D0000-0x00007FFE892E1000-memory.dmp

Filesize
68KB

Download
memory/4988-30-0x00007FFE892F0000-0x00007FFE89301000-memory.dmp

Filesize
68KB

Download
memory/4988-29-0x00007FFE8D030000-0x00007FFE8D041000-memory.dmp

Filesize
68KB

Download
memory/4988-28-0x00007FFE8D050000-0x00007FFE8D068000-memory.dmp

Filesize
96KB

Download
memory/4988-27-0x00007FFE8D230000-0x00007FFE8D251000-memory.dmp

Filesize
132KB

Download
memory/4988-26-0x00007FFE85610000-0x00007FFE85651000-memory.dmp

Filesize
260KB

Download
memory/4988-25-0x00007FFE7D1C0000-0x00007FFE7E270000-memory.dmp

Filesize
16.7MB

Download
memory/4988-43-0x00007FFE7D1C0000-0x00007FFE7E270000-memory.dmp

Filesize
16.7MB

Download
memory/4988-61-0x00007FFE7D1C0000-0x00007FFE7E270000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing