c330d14079d4369f8187211513db12bab43d6cf62bc6111b7d2ff1277fcb4fb0

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VideoSolution.exe
Size

12.0MB
MD5

372be796e49f259f57b8b8538caf5d92
SHA1

506f230c06c6b2eed2854d343ae4ec4cc1826628
SHA256

2d4e42305dc6fb465ce6bdff2f6c956414180ef1f35f460441024c3a4e2f2498
SHA512

371e10a5dd53f9bd408cec8f6aea8690862cb95a5c21dad4d45806fb1540a3819f9c18f3a7cc95c56562bf125e19248e68c5f712fc82641d3957583fc791b1f2
SSDEEP

196608:ShF/IRInkwnXr1cmU2zrD/BVSTHKRtSW3YsjaRhW33WCDoyk6wCIsc:zRabSa/BAEtSgjaTwWCDRIj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2752	is-1HTUS.tmp

Loads dropped DLL 3 IoCs

pid	Process
2764	VideoSolution.exe
2752	is-1HTUS.tmp
2752	is-1HTUS.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VideoSolution.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-1HTUS.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	is-1HTUS.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30
PID 2764 wrote to memory of 2752	2764	VideoSolution.exe	30

C:\Users\Admin\AppData\Local\Temp\VideoSolution.exe
"C:\Users\Admin\AppData\Local\Temp\VideoSolution.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\is-1U4O4.tmp\is-1HTUS.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1U4O4.tmp\is-1HTUS.tmp" /SL4 $70122 "C:\Users\Admin\AppData\Local\Temp\VideoSolution.exe" 12243181 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-1U4O4.tmp\is-1HTUS.tmp

Filesize
648KB

MD5
0360b1d1195775766b2e78a7b463f658

SHA1
8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

SHA256
bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

SHA512
23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

Download Submit
\Users\Admin\AppData\Local\Temp\is-TA870.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2752-17-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2764-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2764-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2764-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download