dc6dd9ec307e895deed204301acbf94f9a185c0e29f1866a3afe3480a9c256e8

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vm0506.exe
Size

2.2MB
MD5

aae9cea1ffa6b058aca355749079bb7f
SHA1

0e61bcc8a4af14c3c668db907ad3ab8cd482e3b0
SHA256

71181e591ed7751b7974048d0646c5b816249cd0ab3e8e21439fedfa0c51d875
SHA512

ace261ad39169c32030730d71b36aa40cfc3d3ba88ddb816845380d4e8ce7a908fd942cd6e5b138350962c2790f32d7f603b82d8e60a2cefcb2da2d5d9045c21
SSDEEP

24576:teJgHGVg/mrpVdKsPNQGdl+2Yn8jiIYYF0rdLv8EycUJj3+s/griHqvx7EHXIrKf:UyWu2NQGbY5CmdLvZP0/gwOKqxMTq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4912	REGSVR32.EXE

Loads dropped DLL 2 IoCs

pid	Process
4912	REGSVR32.EXE
4912	REGSVR32.EXE

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\csXImage.ocx	vm0506.exe
File opened for modification	C:\Windows\SysWOW64\csXImage.ocx	vm0506.exe
File created	C:\Windows\SysWOW64\WinIo.dll	vm0506.exe
File opened for modification	C:\Windows\SysWOW64\WinIo.dll	vm0506.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VideoMate\paytypes.nms	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\category.nms	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\Manual.doc	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\format.nms	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\SEAUBAT.BAT	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\VIDEOMATE.HLP	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\REGSVR32.EXE	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\Manual.doc	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\ratings.nms	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\logo.bmp	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\REGSVR32.EXE	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\VideoMate.exe	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\VideoMate.cnt	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\form.dat	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\VideoMate.exe	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\ratings.nms	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\logo.bmp	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\VideoMate.cnt	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\form.dat	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\photo.bmp	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\format.nms	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\category.nms	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\photo.bmp	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\Install.LOG	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\VIDEOMATE.HLP	vm0506.exe
File created	C:\Program Files (x86)\VideoMate\contract.dat	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\contract.dat	vm0506.exe
File opened for modification	C:\Program Files (x86)\VideoMate\paytypes.nms	vm0506.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vm0506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REGSVR32.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\0	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\TypeLib\Version = "1.0"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\ProgID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\MiscStatus	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\MiscStatus\ = "0"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Verb\0	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\csXImage.ocx"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\csXImage.ImageBox	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Control\	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\ = "IImageBox"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Version\ = "1.0"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\TypeLib	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\TypeLib\ = "{62E57FC0-1CCD-11D7-8344-00C1261173F0}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\HELPDIR	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\ProgID\ = "csXImage.ImageBox"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Verb\	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\TypeLib\Version = "1.0"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\InprocServer32\ThreadingModel = "Apartment"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\csXImage.ImageBox\ = "csXImage Control"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\MiscStatus\1\ = "131473"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\0\win32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\TypeLib\ = "{62E57FC0-1CCD-11D7-8344-00C1261173F0}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\TypeLib\ = "{62E57FC0-1CCD-11D7-8344-00C1261173F0}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\csXImage.ImageBox\Clsid	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Version	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\csXImage.ocx,1"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\FLAGS	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\FLAGS\ = "2"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\ = "IImageBox"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\TypeLib\Version = "1.0"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\ = "IImageBoxEvents"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\csXImage.ImageBox\Clsid\ = "{62E57FC5-1CCD-11D7-8344-00C1261173F0}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\MiscStatus\1	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E57FC0-1CCD-11D7-8344-00C1261173F0}\1.0\ = "csXImage Library"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\ = "IImageBoxEvents"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Control	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC1-1CCD-11D7-8344-00C1261173F0}\TypeLib\Version = "1.0"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\TypeLib\ = "{62E57FC0-1CCD-11D7-8344-00C1261173F0}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\InprocServer32\ = "C:\\Windows\\SysWow64\\csXImage.ocx"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\TypeLib	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\ = "csXImage Control"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\ToolboxBitmap32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E57FC3-1CCD-11D7-8344-00C1261173F0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\InprocServer32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\TypeLib\ = "{62E57FC0-1CCD-11D7-8344-00C1261173F0}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62E57FC5-1CCD-11D7-8344-00C1261173F0}\Verb	REGSVR32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2752	4816	vm0506.exe	89
PID 4816 wrote to memory of 2752	4816	vm0506.exe	89
PID 4816 wrote to memory of 2752	4816	vm0506.exe	89
PID 2752 wrote to memory of 4912	2752	cmd.exe	91
PID 2752 wrote to memory of 4912	2752	cmd.exe	91
PID 2752 wrote to memory of 4912	2752	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\vm0506.exe
"C:\Users\Admin\AppData\Local\Temp\vm0506.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /e:5000 /c "C:\Program Files (x86)\VideoMate\SEAUBAT.BAT"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files (x86)\VideoMate\REGSVR32.EXE
    regsvr32 /s C:\Windows\system32\csXImage.ocx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VideoMate\REGSVR32.EXE

Filesize
36KB

MD5
7b194f51f6b52233c33a7d0d88a91581

SHA1
459dc713fd52197d025fb7b4b4833ed5dca73a87

SHA256
7c05339da12624396d9911263dc7c993fc2e757e130009465a511045bf06d344

SHA512
dd835fa6d8f57159ff045bc3c89d1eea965411a34f1a8d0232ed58a1fde885cb3e489fdd01d2bf31aec606130a6b6dc6e3e7602ecb852326dc293604793504cc

Download Submit
C:\Program Files (x86)\VideoMate\SEAUBAT.BAT

Filesize
1KB

MD5
ef1d7b958e234c6c66344583fde85f42

SHA1
4096b0424ce310d7c7ccb772d820c3bc923ff12b

SHA256
e54194485172c53ac70c70f7f503073a576999194d0533260da3e4e999a848a6

SHA512
b2915d28ad3a06de31fda0f99ae0d2001fd0bc9247f26330f36f19f7df6df50ece375326b71eaf3b862344777ce82042ad9954f53b587fa1221d384519ed7ad4

Download Submit
C:\Program Files (x86)\VideoMate\VideoMate.exe

Filesize
2.8MB

MD5
b12fdb36bff1e4d417d5d08661c1b213

SHA1
9c08083d8063496cc6f65f2fe84acacf425708f4

SHA256
0c791c2d9aec829a1d03ba22a25dba7bc1b2142af7ad1d71a559f1414ec2b0d2

SHA512
75ab6ea6c5d132a526caf609a5a334b30cdeebf1ed6f5f071407da9151234332fd60a5f16dc68bcabaa281450ed61f5f439aa702c28c0602fdc1abe75de6ad58

Download Submit
C:\Windows\SysWOW64\csXImage.ocx

Filesize
1.0MB

MD5
f2b0aac9a81abb474e76c3dcc4fb1764

SHA1
eadea7c278ee7f88c4e7f8d38dd95da5976ac9ea

SHA256
e56755170f3b3c7610e93b56930dbe78b9a782583cb4da95930b626bc799e524

SHA512
101388e3df9fd86094330466c32cc3f0c1d55c211744344c71c8ff884ab4386d0339e8b4b77883efb15110cfab5e90d82d8cdb5e2533dd86eefef02c8f76de86

Download Submit
memory/4816-0-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4816-1-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4816-75-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4912-73-0x0000000002420000-0x000000000252A000-memory.dmp

Filesize
1.0MB

Download