Analysis

  • max time kernel
    1326s
  • max time network
    1151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20/11/2024, 13:42

General

  • Target

    nanusitaaa_1731918784_musicaldown.com[HD].mp4

  • Size

    17.4MB

  • MD5

    75e0c21eb7d05228860b8c0d04b6d3fa

  • SHA1

    6a74b505e88b56a16965b97124b54c0a68fbaf11

  • SHA256

    1b29e2ff0d739dc8ea3e5bb2308f543ec86d9bcc6ccdb49b3990410c247a01b6

  • SHA512

    fec9ade04361c03b6240f73085afb5043a9d91421e20984d594e317db9707121f58adfdb0e4c7f101bcdc50abf1bc7248bac013f467afc89d6e8aba8b62fc606

  • SSDEEP

    393216:ILAzv6TfocGDoWueOm8IKCyA2rYWNQzXZd3MMkbbOYRT64P6Qi:IEeTfocGDo8OmtKy2rYWNGJZMRbOD4PY

Score
6/10

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 23 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs

Processes

  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\nanusitaaa_1731918784_musicaldown.com[HD].mp4"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3064
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x454 0x4a8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1500
  • C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2660
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1396
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Writes to the Master Boot Record (MBR)
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      PID:4296

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

      Filesize

      122B

      MD5

      4ad6014843a967b6c3364d12540eefba

      SHA1

      38a4f72c0d4a5657f995c91f7e08cc59d299b9b9

      SHA256

      29c87c898507daa01f3b014748891ef802a5bcd23b2eb5c8da88c576bba80f3a

      SHA512

      697d822202090257fbd10b560223c76bf9f78707d039575c5d70415142ff615cd07e95f359aa1751e4728cd6baccfaaedae74fdb7b2ec1c28cccca5c7d49984e

    • memory/3064-7-0x00007FFCD8D20000-0x00007FFCD8FD6000-memory.dmp

      Filesize

      2.7MB

    • memory/3064-21-0x00007FFCD6120000-0x00007FFCD6131000-memory.dmp

      Filesize

      68KB

    • memory/3064-14-0x00007FFCD9660000-0x00007FFCD9671000-memory.dmp

      Filesize

      68KB

    • memory/3064-15-0x00007FFCD26F0000-0x00007FFCD28FB000-memory.dmp

      Filesize

      2.0MB

    • memory/3064-12-0x00007FFCD9900000-0x00007FFCD9911000-memory.dmp

      Filesize

      68KB

    • memory/3064-11-0x00007FFCD9BE0000-0x00007FFCD9BF7000-memory.dmp

      Filesize

      92KB

    • memory/3064-10-0x00007FFCD9D00000-0x00007FFCD9D11000-memory.dmp

      Filesize

      68KB

    • memory/3064-9-0x00007FFCDF8D0000-0x00007FFCDF8E7000-memory.dmp

      Filesize

      92KB

    • memory/3064-8-0x00007FFCDF9D0000-0x00007FFCDF9E8000-memory.dmp

      Filesize

      96KB

    • memory/3064-20-0x00007FFCD6190000-0x00007FFCD61A1000-memory.dmp

      Filesize

      68KB

    • memory/3064-13-0x00007FFCD9680000-0x00007FFCD969D000-memory.dmp

      Filesize

      116KB

    • memory/3064-22-0x00007FFCD6100000-0x00007FFCD6111000-memory.dmp

      Filesize

      68KB

    • memory/3064-6-0x00007FFCD9920000-0x00007FFCD9954000-memory.dmp

      Filesize

      208KB

    • memory/3064-19-0x00007FFCD9120000-0x00007FFCD9138000-memory.dmp

      Filesize

      96KB

    • memory/3064-18-0x00007FFCD9630000-0x00007FFCD9651000-memory.dmp

      Filesize

      132KB

    • memory/3064-16-0x00007FFCC9220000-0x00007FFCCA2D0000-memory.dmp

      Filesize

      16.7MB

    • memory/3064-17-0x00007FFCD26A0000-0x00007FFCD26E1000-memory.dmp

      Filesize

      260KB

    • memory/3064-25-0x00007FFCD8D20000-0x00007FFCD8FD6000-memory.dmp

      Filesize

      2.7MB

    • memory/3064-43-0x00007FFCD8D20000-0x00007FFCD8FD6000-memory.dmp

      Filesize

      2.7MB

    • memory/3064-52-0x00007FFCC9220000-0x00007FFCCA2D0000-memory.dmp

      Filesize

      16.7MB

    • memory/3064-61-0x00007FFCD8D20000-0x00007FFCD8FD6000-memory.dmp

      Filesize

      2.7MB

    • memory/3064-5-0x00007FF67B150000-0x00007FF67B248000-memory.dmp

      Filesize

      992KB