e0168825be4779091fb1035747eac2b9f685600a7e84dfc7dc3929c3a8017b2e

General

Target

entry_1_0/windows-movie-maker_ih-8Ta1.exe
Size

2.4MB
MD5

d8ad93ef2790aa264ab569f5ba8a67cb
SHA1

67b01f6a855b6c5def8863b0d2ef157a44762a28
SHA256

94375dbac8e6dfd152a3c3b9e33d1c6fc18d5f86e2b486124cc4f67dbef68ce6
SHA512

5fdc98ed246ada2f1db0335fed19eb72b776bf7075ebd3e0c4d16cdc448e285a9e63141c487e3c96297b876313ccc7ed135689ece9223e3d0d9526169e6d0d95
SSDEEP

49152:nBuZrEUJje0NQq5rISAGFncaWt+ugsv6fhcUiVoX:BkLxNNC7e9Wt+ugsv6fhcsX

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1460	windows-movie-maker_ih-8Ta1.tmp

Loads dropped DLL 1 IoCs

pid	Process
1460	windows-movie-maker_ih-8Ta1.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker_ih-8Ta1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker_ih-8Ta1.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows-movie-maker_ih-8Ta1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	windows-movie-maker_ih-8Ta1.tmp

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1460	windows-movie-maker_ih-8Ta1.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	windows-movie-maker_ih-8Ta1.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1460	5036	windows-movie-maker_ih-8Ta1.exe	81
PID 5036 wrote to memory of 1460	5036	windows-movie-maker_ih-8Ta1.exe	81
PID 5036 wrote to memory of 1460	5036	windows-movie-maker_ih-8Ta1.exe	81

C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\is-UGE2G.tmp\windows-movie-maker_ih-8Ta1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UGE2G.tmp\windows-movie-maker_ih-8Ta1.tmp" /SL5="$C004E,1583351,832512,C:\Users\Admin\AppData\Local\Temp\entry_1_0\windows-movie-maker_ih-8Ta1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-H8BSP.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H8BSP.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H8BSP.tmp\loader.gif

Filesize
10KB

MD5
12d7fd91a06cee2d0e76abe0485036ee

SHA1
2bf1f86cc5f66401876d4e0e68af8181da9366ac

SHA256
a6192b9a3fa5db9917aef72d651b7ad8fd8ccb9b53f3ad99d7c46701d00c78cb

SHA512
17ab033d3518bd6d567f7185a3f1185410669062d5ec0a0b046a3a9e8a82ee8f8adb90b806542c5892fc1c01dd3397ea485ebc86e4d398f754c40daf3c333edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H8BSP.tmp\mainlogo.png

Filesize
12KB

MD5
dd90682ef1b7d5890c8c5a3d3d65d3f0

SHA1
1297970e3d54afa50cb787ca76e211623f88a383

SHA256
42fea3730803d445b175774bd62a89112df551424e04755b0b8a5238153a6f77

SHA512
f828389557f4ea065c26cb18e47f8161ebabc8a5b824560531602adaa0c5c6c66b79ab3c932b933038d98316bdb6dcf2ffbb85ecb331ab94b7de63f28e58c3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGE2G.tmp\windows-movie-maker_ih-8Ta1.tmp

Filesize
3.1MB

MD5
52263ba53784a017b4c47b092643dd24

SHA1
f12942694efc30db81b938702af1ebc5b8d68415

SHA256
30848b34a4fba4a601332f90a6f4327ef3c1c9f943dc35c764ee3aeaba412600

SHA512
754f8f18090297ee5815b48aa745feed2b54cd6fb555645a607ea42400b6149e4556be6403b927e848e595c07377585355e173ad7f52795112029ee4f6923e40

Download Submit
C:\Users\Admin\Downloads\windows-movie-maker.exe

Filesize
1.2MB

MD5
8423b539d6dcecf2d710c210f01d6c6a

SHA1
24bcef46ea3ed47158c72a753f6b1b6005468879

SHA256
7d9c68b11e45a763facc7577a51c8c00b7fb654b9ba044deb223e7140a2efe50

SHA512
4db21d0f283e3539c649f6eda114f48a5aaddf32b483bdccfeb5d00859c58b94d4153ea4bce92f39cd26d6042cd3ceccebc74e3ae2a8482eeb975459f9684b02

Download Submit
memory/1460-36-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/1460-29-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1460-32-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1460-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1460-37-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1460-38-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1460-28-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/1460-66-0x0000000004C50000-0x0000000004D90000-memory.dmp

Filesize
1.2MB

Download
memory/1460-68-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5036-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5036-31-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5036-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing