1abfdb5104c7be93820e74b6c0771bb2d20a54287a82d4f762b90604d3e614c5

General

Target

video-studio-express_full713.exe
Size

17.0MB
MD5

0b3a13df927d3371894c50cc229e13e3
SHA1

46418cfc75c46515d1a4983ebedac3d4b74402ee
SHA256

e28d011ec78a26f61555c09cb880c0ef2206225ab295aa8c2ffe7ba2cb80bb82
SHA512

0c0b373e5329392c7834c55b4d58db591ee945aa841ece21f07e18e0580897812a8c01672f696322e315ba462c35107db440233ea301f09932cacf8fb0c6d15d
SSDEEP

393216:fDPg9oksJT3HuBWA0wugnRcF8zispNcgJncBMgEjgdsO/a32IBE2:frg9okYTO/0wRlvJ3gE8/a3O2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2872	video-studio-express_full713.tmp

Loads dropped DLL 6 IoCs

pid	Process
2316	video-studio-express_full713.exe
2872	video-studio-express_full713.tmp
2872	video-studio-express_full713.tmp
2872	video-studio-express_full713.tmp
2872	video-studio-express_full713.tmp
2872	video-studio-express_full713.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	video-studio-express_full713.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	video-studio-express_full713.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	video-studio-express_full713.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30
PID 2316 wrote to memory of 2872	2316	video-studio-express_full713.exe	30

C:\Users\Admin\AppData\Local\Temp\video-studio-express_full713.exe
"C:\Users\Admin\AppData\Local\Temp\video-studio-express_full713.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\is-HHQR3.tmp\video-studio-express_full713.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HHQR3.tmp\video-studio-express_full713.tmp" /SL5="$400F4,17491637,72192,C:\Users\Admin\AppData\Local\Temp\video-studio-express_full713.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HHQR3.tmp\video-studio-express_full713.tmp

Filesize
713KB

MD5
2a41302e7ef9489f9c5714e8329a8fd3

SHA1
7dfce6655278e88b395f1564a127e722d7212028

SHA256
53cfceb028a042c624a76d0d0de5c5d2ee047432937b0f3c6d8f3cb44bd551d4

SHA512
33500a7cb605189be628d78e44ea6a9dccb6fe33d73a77deaf09ae0a1c949aeec370520006fbb8b95ca9fe6cee82b87e3df06a307f3a019ba7eb85e17a70dead

Download Submit
\Users\Admin\AppData\Local\Temp\is-MV8SF.tmp\WS_AgentProcess.dll

Filesize
87KB

MD5
4cdc9d01c8f1dde88e20d4d13c685f07

SHA1
8f5cd373e27abcad0dcd5c6d2412a21c7b0f28c7

SHA256
886e9b9ff9168d8309819969a8d5e5f7db6c0f043877a8532d53fdfd1ff4a7a3

SHA512
9c563e25e0f71734ebac868e11c876d84fca71f9b04d489df4e17f571e312c33a008762b86a11c885c2210f295283efd2736c3a144d943763113a00e789dd70e

Download Submit
\Users\Admin\AppData\Local\Temp\is-MV8SF.tmp\WS_Log.dll

Filesize
169KB

MD5
bb7fcfea7547a528e618048068733de6

SHA1
805dd86082161d0140521bb4e3088af1cb5e6e0d

SHA256
570ead400d1803ff2ade7a1db57705e342499e5137e0cad9a745d0b8430b3784

SHA512
1401603e2134133e6ea00c019b2ee57e6062f0cd24d23f768aa1b0377ad5c33b350ddab1fa91c4af104753ec71ee1557f70490f1efcc9217bbd922b09f1b6d8b

Download Submit
\Users\Admin\AppData\Local\Temp\is-MV8SF.tmp\WS_SaleProcess.dll

Filesize
389KB

MD5
63bdadb8335989b97c815c1500521db5

SHA1
77f2974135858c0b9696b67a41c4275329027f2e

SHA256
018f0b9cd9a4c6cab3ba3337a3a3a1ee2e2bc173c9991ef9f56664b33eca0a91

SHA512
e4bcc65a3e31c9144c0b07b4c772890cbf48d49372ff1c50bba61f432e998835627cf0f3e808574244a411b9d8416b718ddd5babeb8091f1eeff90f574a881df

Download Submit
\Users\Admin\AppData\Local\Temp\is-MV8SF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2316-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2316-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2316-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2872-11-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2872-22-0x00000000037A0000-0x000000000380A000-memory.dmp

Filesize
424KB

Download
memory/2872-26-0x0000000000660000-0x000000000067E000-memory.dmp

Filesize
120KB

Download
memory/2872-30-0x00000000037A0000-0x000000000380A000-memory.dmp

Filesize
424KB

Download
memory/2872-29-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2872-31-0x0000000000660000-0x000000000067E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing