f6a83e6ed8bf92b8ff4da0aba72fe354199ec79a99008b34800e4cfdb92d3a67

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VideoCodeCX.exe
Size

2.0MB
MD5

0701e045db5d20c93427b4bb452bc341
SHA1

6be9df576ebfed1b2a0b14f2352dceaa36a10c79
SHA256

22b1af46ce7b3db0ec037026e035b0b09a6c791e5fb5fcb5e6ee3ef8d276abe1
SHA512

40a542dbd44eab6c2f8f6631487be2065692489040632916aaee2d7f24810e4844291b1e6a0e5884362a7ebc534a03a44103465cd1266439107fc5c070c50dfb
SSDEEP

49152:EkAG2QGTC5xvMdgpdb1KRzGepUu2cGbq7oc+tuNAn:EkAjQGTCnvMmpEQqUPn

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Video CodeC X\\Video CodeC X\\bsoderror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Video CodeC X\\Video CodeC X\\bsoderror.exe"	msiexec.exe

Loads dropped DLL 15 IoCs

Processes:

VideoCodeCX.exeMsiExec.exeMsiExec.exe

pid	process
1528	VideoCodeCX.exe
1528	VideoCodeCX.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
2736	MsiExec.exe
832	MsiExec.exe
2736	MsiExec.exe
1528	VideoCodeCX.exe
2736	MsiExec.exe

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

5 2736 MsiExec.exe

flow	pid	process
5	2736	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exeVideoCodeCX.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	VideoCodeCX.exe
File opened (read-only)	\??\Y:	VideoCodeCX.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	VideoCodeCX.exe
File opened (read-only)	\??\W:	VideoCodeCX.exe
File opened (read-only)	\??\T:	VideoCodeCX.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	VideoCodeCX.exe
File opened (read-only)	\??\I:	VideoCodeCX.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	VideoCodeCX.exe
File opened (read-only)	\??\Z:	VideoCodeCX.exe
File opened (read-only)	\??\O:	VideoCodeCX.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	VideoCodeCX.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	VideoCodeCX.exe
File opened (read-only)	\??\M:	VideoCodeCX.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	VideoCodeCX.exe
File opened (read-only)	\??\S:	VideoCodeCX.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	VideoCodeCX.exe
File opened (read-only)	\??\V:	VideoCodeCX.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	VideoCodeCX.exe
File opened (read-only)	\??\L:	VideoCodeCX.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	VideoCodeCX.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	VideoCodeCX.exe
File opened (read-only)	\??\P:	VideoCodeCX.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\Video CodeC X\Video CodeC X\bsoderror.exe msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Video CodeC X\Video CodeC X\bsoderror.exe	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f768d51.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\_itunes.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9247.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9307.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F66.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9053.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9258.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9278.tmp	msiexec.exe
File created	C:\Windows\Tasks\you to.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\_itunes.exe	msiexec.exe
File created	C:\Windows\Installer\f768d56.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768d54.ipi	msiexec.exe
File created	C:\Windows\Installer\f768d51.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EB9.tmp	msiexec.exe
File created	C:\Windows\Installer\f768d54.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9298.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI951B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95C8.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

VideoCodeCX.exemsiexec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VideoCodeCX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E0321A03BE396449BC7FFF3E123BAC2\FCED1D0ECE001664C8855C70F9C1FBFA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Video CodeC X\\Video CodeC X 2.0.0.0\\install\\F1CBFAF\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FCED1D0ECE001664C8855C70F9C1FBFA\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Version = "33554432"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E0321A03BE396449BC7FFF3E123BAC2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Video CodeC X\\Video CodeC X 2.0.0.0\\install\\F1CBFAF\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FCED1D0ECE001664C8855C70F9C1FBFA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\ProductName = "Video CodeC X"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\ProductIcon = "C:\\Windows\\Installer\\{E0D1DECF-00EC-4661-8C58-C5079F1CBFAF}\\_itunes.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\PackageCode = "6363F740F6E08EF4E84656D164D38A57"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\PackageName = "Video CodeC X.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FCED1D0ECE001664C8855C70F9C1FBFA\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2344 msiexec.exe
2344 msiexec.exe

pid	process
2344	msiexec.exe
2344	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeVideoCodeCX.exemsiexec.exe

description	pid	process
Token: SeRestorePrivilege	2344	msiexec.exe
Token: SeTakeOwnershipPrivilege	2344	msiexec.exe
Token: SeSecurityPrivilege	2344	msiexec.exe
Token: SeCreateTokenPrivilege	1528	VideoCodeCX.exe
Token: SeAssignPrimaryTokenPrivilege	1528	VideoCodeCX.exe
Token: SeLockMemoryPrivilege	1528	VideoCodeCX.exe
Token: SeIncreaseQuotaPrivilege	1528	VideoCodeCX.exe
Token: SeMachineAccountPrivilege	1528	VideoCodeCX.exe
Token: SeTcbPrivilege	1528	VideoCodeCX.exe
Token: SeSecurityPrivilege	1528	VideoCodeCX.exe
Token: SeTakeOwnershipPrivilege	1528	VideoCodeCX.exe
Token: SeLoadDriverPrivilege	1528	VideoCodeCX.exe
Token: SeSystemProfilePrivilege	1528	VideoCodeCX.exe
Token: SeSystemtimePrivilege	1528	VideoCodeCX.exe
Token: SeProfSingleProcessPrivilege	1528	VideoCodeCX.exe
Token: SeIncBasePriorityPrivilege	1528	VideoCodeCX.exe
Token: SeCreatePagefilePrivilege	1528	VideoCodeCX.exe
Token: SeCreatePermanentPrivilege	1528	VideoCodeCX.exe
Token: SeBackupPrivilege	1528	VideoCodeCX.exe
Token: SeRestorePrivilege	1528	VideoCodeCX.exe
Token: SeShutdownPrivilege	1528	VideoCodeCX.exe
Token: SeDebugPrivilege	1528	VideoCodeCX.exe
Token: SeAuditPrivilege	1528	VideoCodeCX.exe
Token: SeSystemEnvironmentPrivilege	1528	VideoCodeCX.exe
Token: SeChangeNotifyPrivilege	1528	VideoCodeCX.exe
Token: SeRemoteShutdownPrivilege	1528	VideoCodeCX.exe
Token: SeUndockPrivilege	1528	VideoCodeCX.exe
Token: SeSyncAgentPrivilege	1528	VideoCodeCX.exe
Token: SeEnableDelegationPrivilege	1528	VideoCodeCX.exe
Token: SeManageVolumePrivilege	1528	VideoCodeCX.exe
Token: SeImpersonatePrivilege	1528	VideoCodeCX.exe
Token: SeCreateGlobalPrivilege	1528	VideoCodeCX.exe
Token: SeShutdownPrivilege	2060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2060	msiexec.exe
Token: SeCreateTokenPrivilege	2060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2060	msiexec.exe
Token: SeLockMemoryPrivilege	2060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2060	msiexec.exe
Token: SeMachineAccountPrivilege	2060	msiexec.exe
Token: SeTcbPrivilege	2060	msiexec.exe
Token: SeSecurityPrivilege	2060	msiexec.exe
Token: SeTakeOwnershipPrivilege	2060	msiexec.exe
Token: SeLoadDriverPrivilege	2060	msiexec.exe
Token: SeSystemProfilePrivilege	2060	msiexec.exe
Token: SeSystemtimePrivilege	2060	msiexec.exe
Token: SeProfSingleProcessPrivilege	2060	msiexec.exe
Token: SeIncBasePriorityPrivilege	2060	msiexec.exe
Token: SeCreatePagefilePrivilege	2060	msiexec.exe
Token: SeCreatePermanentPrivilege	2060	msiexec.exe
Token: SeBackupPrivilege	2060	msiexec.exe
Token: SeRestorePrivilege	2060	msiexec.exe
Token: SeShutdownPrivilege	2060	msiexec.exe
Token: SeDebugPrivilege	2060	msiexec.exe
Token: SeAuditPrivilege	2060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2060	msiexec.exe
Token: SeChangeNotifyPrivilege	2060	msiexec.exe
Token: SeRemoteShutdownPrivilege	2060	msiexec.exe
Token: SeUndockPrivilege	2060	msiexec.exe
Token: SeSyncAgentPrivilege	2060	msiexec.exe
Token: SeEnableDelegationPrivilege	2060	msiexec.exe
Token: SeManageVolumePrivilege	2060	msiexec.exe
Token: SeImpersonatePrivilege	2060	msiexec.exe
Token: SeCreateGlobalPrivilege	2060	msiexec.exe
Token: SeRestorePrivilege	2344	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2060 msiexec.exe
2060 msiexec.exe

pid	process
2060	msiexec.exe
2060	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

VideoCodeCX.exemsiexec.exe

description	pid	process	target process
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 1528 wrote to memory of 2060	1528	VideoCodeCX.exe	msiexec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 2736	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe
PID 2344 wrote to memory of 832	2344	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe
"C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DF1D9D089BAE9E90FF55E188EAD29A3
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 565343633CA1C003CF865C20B7F47151 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768d55.rbs

Filesize
106KB

MD5
fe3c2e17c9ea836b69c2eb83555bdde3

SHA1
d4a8084f2615254fff2685df676fcc53a91fe892

SHA256
3a99977052a44bd16480b75dff3956cb105d65f0f4026f45496d1cb189ad6647

SHA512
3be2aee436108b4e6282115c5753945676036d27da1c5eb24b9e283508aeffd573587c7b10eaffee4b64a7c6179ff553271bb50bdd68ed5893d17dd6f34b60b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini

Filesize
84B

MD5
7add17ef973dc6ad6b6f4a19fe93093a

SHA1
d81ace63150fe9bc50e3cd1a98358f1df3ecd29f

SHA256
c8a22e088b227d2d01ad24ebb42f7653279dcad1a3c59d86e337da869ebb52c7

SHA512
cd97cfada6af080581633da7a1d3e711f7b6070c9e549cf94b747ffce5257e8fdb2a645140a6b8436df2bf98ee0634013723a13678f99710ad8994e03f959251

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini

Filesize
84B

MD5
8a72d00dd9db28a2bc6c8d2349d32539

SHA1
cfa37420d2b47146d5388ec05cc287eb8030716e

SHA256
83e46c77e4166057889ced1c0571266adf19e609c5c0f44a1a062193bb1675f7

SHA512
382e5f466c0df76c9b09658f3e8388a10daa618ab0b03dc34869bcf331d07d9b304771b9378c9151805fb36985ec1179c31293ab073eb2628461754c30a7b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{B429C546-F220-408A-957B-8A0EED0319CF}.session

Filesize
4KB

MD5
1e44a0c95ef001dde43bdee9ce20e6c5

SHA1
2da0bf013e0ece2fb32e33a35ad0d418013ccd17

SHA256
39ca4c1e57c0f1234e26516397fe96e9303524cde92f3e7411eb06953575632c

SHA512
c70f8f86060f2560536c26e9b145f8b880ab92e8daf71f585633c5947a6d47788125f5a0ef2cc212c754cb3c1bb55daf84892078cb07be06e776619378829d49

Download Submit
C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi

Filesize
1.1MB

MD5
5a62fc6cb914c167550b337e86e8a933

SHA1
7a6bf8f179aed33057a694966b45a7928f1698b7

SHA256
f32c666abd8d50bce93391840de7c8d9969b75d42aea3bee61d68be411e3ffe3

SHA512
6a64db837e86eed6b2227b6e3df35a1f9f761cac890ea1475a1c42ec4c511bd3a622737ccfd133a5682c0ca226d046dfb60140c7001be40c574e41f10df396b9

Download Submit
C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\bsoderror.exe

Filesize
84KB

MD5
ea3ad4540a9411f051d52788dde2cb53

SHA1
641e87b35a4d31d41a1bb842190e6cd830ddea63

SHA256
3b5d9aadfdb9c1257ef84e33cdad67cd818334ec8fd40e0968b8b71e2a0eef95

SHA512
2f39c3caaf28b2ca592f6268ae0750fa36ecf9eeceaf3a1846162914129a794c0c0224cc7e6c6e55cc2f0b65a18d3e2c1c9bc86252799635e22f4c50ce196c33

Download Submit
C:\Windows\Installer\MSI8E3B.tmp

Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
C:\Windows\Installer\MSI8F66.tmp

Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\Installer\MSI9258.tmp

Filesize
96KB

MD5
3cab78d0dc84883be2335788d387601e

SHA1
14745df9595f190008c7e5c190660361f998d824

SHA256
604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

SHA512
df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

Download Submit
C:\Windows\Installer\MSI9278.tmp

Filesize
128KB

MD5
7e6b88f7bb59ec4573711255f60656b5

SHA1
5e7a159825a2d2cb263a161e247e9db93454d4f6

SHA256
59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

SHA512
294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

Download Submit
C:\Windows\Installer\MSI9298.tmp

Filesize
312KB

MD5
aa82345a8f360804ea1d8d935f0377aa

SHA1
c09cf3b1666d9192fa524c801bb2e3542c0840e2

SHA256
9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

SHA512
c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

Download Submit
\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit