c330d14079d4369f8187211513db12bab43d6cf62bc6111b7d2ff1277fcb4fb0

Analysis

max time kernel
140s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VideoSolution.exe
Size

12.0MB
MD5

372be796e49f259f57b8b8538caf5d92
SHA1

506f230c06c6b2eed2854d343ae4ec4cc1826628
SHA256

2d4e42305dc6fb465ce6bdff2f6c956414180ef1f35f460441024c3a4e2f2498
SHA512

371e10a5dd53f9bd408cec8f6aea8690862cb95a5c21dad4d45806fb1540a3819f9c18f3a7cc95c56562bf125e19248e68c5f712fc82641d3957583fc791b1f2
SSDEEP

196608:ShF/IRInkwnXr1cmU2zrD/BVSTHKRtSW3YsjaRhW33WCDoyk6wCIsc:zRabSa/BAEtSgjaTwWCDRIj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	is-36BIF.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-36BIF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VideoSolution.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2788	1552	VideoSolution.exe	85
PID 1552 wrote to memory of 2788	1552	VideoSolution.exe	85
PID 1552 wrote to memory of 2788	1552	VideoSolution.exe	85

C:\Users\Admin\AppData\Local\Temp\VideoSolution.exe
"C:\Users\Admin\AppData\Local\Temp\VideoSolution.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\is-KT6SN.tmp\is-36BIF.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KT6SN.tmp\is-36BIF.tmp" /SL4 $B004E "C:\Users\Admin\AppData\Local\Temp\VideoSolution.exe" 12243181 52224
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KT6SN.tmp\is-36BIF.tmp

Filesize
648KB

MD5
0360b1d1195775766b2e78a7b463f658

SHA1
8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

SHA256
bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

SHA512
23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

Download Submit
memory/1552-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1552-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1552-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2788-10-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2788-14-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download