Analysis
-
max time kernel
1326s -
max time network
1151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20/11/2024, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
nanusitaaa_1731918784_musicaldown.com[HD].mp4
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
nanusitaaa_1731918784_musicaldown.com[HD].mp4
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
nanusitaaa_1731918784_musicaldown.com[HD].mp4
Resource
win10ltsc2021-20241023-en
General
-
Target
nanusitaaa_1731918784_musicaldown.com[HD].mp4
-
Size
17.4MB
-
MD5
75e0c21eb7d05228860b8c0d04b6d3fa
-
SHA1
6a74b505e88b56a16965b97124b54c0a68fbaf11
-
SHA256
1b29e2ff0d739dc8ea3e5bb2308f543ec86d9bcc6ccdb49b3990410c247a01b6
-
SHA512
fec9ade04361c03b6240f73085afb5043a9d91421e20984d594e317db9707121f58adfdb0e4c7f101bcdc50abf1bc7248bac013f467afc89d6e8aba8b62fc606
-
SSDEEP
393216:ILAzv6TfocGDoWueOm8IKCyA2rYWNQzXZd3MMkbbOYRT64P6Qi:IEeTfocGDo8OmtKy2rYWNGJZMRbOD4PY
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 vds.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\diskmgmt.msc mmc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log vds.exe -
Checks SCSI registry key(s) 3 TTPs 23 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vds.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vds.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000793d57937e559fd60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000793d57930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000010ed3f000000ffffffff000000000700010000680900793d5793000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000793d579300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000793d579300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000793d5793fe579fce0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000793d57930000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900793d5793000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000793d579300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000793d579300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3064 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3064 vlc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 33 1500 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1500 AUDIODG.EXE Token: 33 3064 vlc.exe Token: SeIncBasePriorityPrivilege 3064 vlc.exe Token: 33 2660 mmc.exe Token: SeIncBasePriorityPrivilege 2660 mmc.exe Token: 33 2660 mmc.exe Token: SeIncBasePriorityPrivilege 2660 mmc.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 3064 vlc.exe 2660 mmc.exe 2660 mmc.exe
Processes
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\nanusitaaa_1731918784_musicaldown.com[HD].mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3064
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x454 0x4a81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2660
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1396
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122B
MD54ad6014843a967b6c3364d12540eefba
SHA138a4f72c0d4a5657f995c91f7e08cc59d299b9b9
SHA25629c87c898507daa01f3b014748891ef802a5bcd23b2eb5c8da88c576bba80f3a
SHA512697d822202090257fbd10b560223c76bf9f78707d039575c5d70415142ff615cd07e95f359aa1751e4728cd6baccfaaedae74fdb7b2ec1c28cccca5c7d49984e