3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795

General

Target

3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe
Size

5.9MB
MD5

91f82073340ac34ef9b50f774ffed5e0
SHA1

08d197aaafe45195af072cfc971b5f8d5d4d6b45
SHA256

3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795
SHA512

b3f9b886b09b2567948056bdcb5eb66e5ddaa225c71a243f1df40c446f1de290a3df5e4d767b76dc14b4accb1fca976db30b242fa1c14e8805f2bae91f2d8729
SSDEEP

98304:1OBuXm0l1eiR8ZFIA7wc2fLIeNkdITUomLxl4Ax1cRXsgkajBcxaAY6/msA96:gBhiqL/2T1NkdYUo2jV7c8Ic0AYp96

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp
4232	totalvideoconverter32_64.exe

Loads dropped DLL 1 IoCs

pid	Process
4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2804	4232	WerFault.exe	90
540	4232	WerFault.exe	90
2436	4232	WerFault.exe	90
3516	4232	WerFault.exe	90
4248	4232	WerFault.exe	90
4376	4232	WerFault.exe	90
4524	4232	WerFault.exe	90
3796	4232	WerFault.exe	90
4944	4232	WerFault.exe	90
5064	4232	WerFault.exe	90
3016	4232	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	totalvideoconverter32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4232	totalvideoconverter32_64.exe
4232	totalvideoconverter32_64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4056	4832	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe	85
PID 4832 wrote to memory of 4056	4832	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe	85
PID 4832 wrote to memory of 4056	4832	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe	85
PID 4056 wrote to memory of 3040	4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp	88
PID 4056 wrote to memory of 3040	4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp	88
PID 4056 wrote to memory of 3040	4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp	88
PID 4056 wrote to memory of 4232	4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp	90
PID 4056 wrote to memory of 4232	4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp	90
PID 4056 wrote to memory of 4232	4056	3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp	90

C:\Users\Admin\AppData\Local\Temp\3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe
"C:\Users\Admin\AppData\Local\Temp\3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\is-UNN7Q.tmp\3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UNN7Q.tmp\3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp" /SL5="$60168,5915155,54272,C:\Users\Admin\AppData\Local\Temp\3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "total_video_converter_1123"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Users\Admin\AppData\Local\Total Video Converter 1.1.27\totalvideoconverter32_64.exe
    "C:\Users\Admin\AppData\Local\Total Video Converter 1.1.27\totalvideoconverter32_64.exe" 7970cf25e409a6a9abf86d9cdf41a0ee
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 852
      4⤵
      Program crash
      PID:2804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 860
      4⤵
      Program crash
      PID:540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 972
      4⤵
      Program crash
      PID:2436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1052
      4⤵
      Program crash
      PID:3516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1060
      4⤵
      Program crash
      PID:4248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1148
      4⤵
      Program crash
      PID:4376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1192
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1296
      4⤵
      Program crash
      PID:3796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1304
      4⤵
      Program crash
      PID:4944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 976
      4⤵
      Program crash
      PID:5064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 896
      4⤵
      Program crash
      PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4232 -ip 4232
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4232 -ip 4232
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4232 -ip 4232
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4232 -ip 4232
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4232 -ip 4232
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4232 -ip 4232
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4232 -ip 4232
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4232 -ip 4232
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4232 -ip 4232
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4232 -ip 4232
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4232 -ip 4232
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-AQRAV.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UNN7Q.tmp\3e6f8a84da396129be22f55befaa8d2e335ce43088ff8ef7bec72fe923a70795N.tmp

Filesize
687KB

MD5
796bf4699b2d43c82199b77434c77e4a

SHA1
7e03f58a734f360fc363a7014d9f68fec42a5477

SHA256
82b20290ef85e59db5d57cf133a63b29d9d650e5b0d507137361b90738355f66

SHA512
a8d030ee4bf38a42979675f53d50283ba136a8ce132a4bef3661030c658b1da3b362667ba2713296a92d36227affa9c0dd06643ae4084d63f1285a8d88af019a

Download Submit
C:\Users\Admin\AppData\Local\Total Video Converter 1.1.27\History_en.txt

Filesize
6KB

MD5
2d34a487e4840f11cc319d057498df21

SHA1
aa419328d35bc756afbd0c6ac36914679ec6b5fa

SHA256
4d927e11ec2fc5ecdb6caf019ce91261a7dd27ec585e20ab246be9fe45920ad5

SHA512
3faabab256178fbb574f4ee87a18280841daafa771f4da686d1e61b42a42451fe2dd6df6e56e8af26c3e4d287bda1254ba4c1936e97f166b10ea21650b166acc

Download Submit
C:\Users\Admin\AppData\Local\Total Video Converter 1.1.27\is-21D5N.tmp

Filesize
4KB

MD5
e9a1f3c21950ce9812b450380576f88f

SHA1
25b7d981ba3b4446b23822e9214528bc47c9937e

SHA256
119f89510381b8cdd075d24599e0a5617ec504b908e8c2229ea5f0368f312d8f

SHA512
d12e93cd84473f3db8895323d3269ee8fee8b901aef5334ecd13a5acd018b3cb18280aefca1919a80cdce58efac597f4c08d3257939fbbb1a731341ca6b9906a

Download Submit
C:\Users\Admin\AppData\Local\Total Video Converter 1.1.27\is-OFOO0.tmp

Filesize
896B

MD5
db16c19ae6abbfb6b6ee063a68c9769e

SHA1
89f2a20eaa7d18ec19e5f8112669a59331b69e44

SHA256
2084d6e39482adc7ba6e50ce80102e8b3682638beefebcb56b6c1a640561335e

SHA512
5c7be9f4d4c20a254a9253f4fda6865a72bd80be08c803890b4540f93cd8139d52f5a2dbdf831350f999f739edeadcc2facaede5b8b62a12d15406b23b9106cb

Download Submit
C:\Users\Admin\AppData\Local\Total Video Converter 1.1.27\totalvideoconverter32_64.exe

Filesize
4.7MB

MD5
3c2257967b822102b87849079427f811

SHA1
5f1299714ad6d5d06c1cc5b90aa4f16d4063ec20

SHA256
eb3f89a4c9975aa21f123f241f56cce1b89968e8c00288375cc3a38efe1d8871

SHA512
3c972d8c7d92145ca8d704b4a593c17fd144c950cf1f75193df9412d1af1e04c02f1cb3d7ff531ba95385f5a14d85a8fe2f20dd1fd9b95aaf95700fe3e19e477

Download Submit
memory/4056-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4056-183-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4232-179-0x0000000000400000-0x0000000000CB3000-memory.dmp

Filesize
8.7MB

Download
memory/4232-180-0x0000000000400000-0x0000000000CB3000-memory.dmp

Filesize
8.7MB

Download
memory/4232-181-0x0000000000400000-0x0000000000CB3000-memory.dmp

Filesize
8.7MB

Download
memory/4232-184-0x0000000000400000-0x0000000000CB3000-memory.dmp

Filesize
8.7MB

Download
memory/4232-185-0x0000000000400000-0x0000000000CB3000-memory.dmp

Filesize
8.7MB

Download
memory/4232-188-0x0000000000400000-0x0000000000CB3000-memory.dmp

Filesize
8.7MB

Download
memory/4832-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4832-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4832-182-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing