Overview

overview

10

Static

static

10

VSNKLGuzoF...2).exe

windows7-x64

3

VSNKLGuzoF...2).exe

windows10-2004-x64

3

VSNKLGuzoF...5w.exe

windows7-x64

3

VSNKLGuzoF...5w.exe

windows10-2004-x64

3

VideoCodeCX.exe

windows7-x64

10

VideoCodeCX.exe

windows10-2004-x64

10

WcsPlugInS...ex.exe

windows7-x64

5

WcsPlugInS...ex.exe

windows10-2004-x64

7

WinLocker Builder.exe

windows7-x64

5

WinLocker Builder.exe

windows10-2004-x64

5

WinLocker_Builder.exe

windows7-x64

5

WinLocker_Builder.exe

windows10-2004-x64

5

_003E0000.exe.vir.exe

windows7-x64

9

_003E0000.exe.vir.exe

windows10-2004-x64

7

vmem02.exe

windows7-x64

3

vmem02.exe

windows10-2004-x64

3

w8i9eHkHOwWwQlX.exe

windows7-x64

3

w8i9eHkHOwWwQlX.exe

windows10-2004-x64

3

wpbt0.exe

windows7-x64

10

wpbt0.exe

windows10-2004-x64

10

xpiofrbtkzhr.exe

windows7-x64

xpiofrbtkzhr.exe

windows10-2004-x64

xxx_video (2).exe

windows7-x64

7

xxx_video (2).exe

windows10-2004-x64

7

xxx_video.exe

windows7-x64

5

xxx_video.exe

windows10-2004-x64

5

xxx_video_...vi.exe

windows7-x64

10

xxx_video_...vi.exe

windows10-2004-x64

5

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...ir.exe

windows10-2004-x64

5

xxx_video_...ir.exe

windows7-x64

10

xxx_video_...ir.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VideoCodeCX.exe

  • Size

    2.0MB

  • MD5

    0701e045db5d20c93427b4bb452bc341

  • SHA1

    6be9df576ebfed1b2a0b14f2352dceaa36a10c79

  • SHA256

    22b1af46ce7b3db0ec037026e035b0b09a6c791e5fb5fcb5e6ee3ef8d276abe1

  • SHA512

    40a542dbd44eab6c2f8f6631487be2065692489040632916aaee2d7f24810e4844291b1e6a0e5884362a7ebc534a03a44103465cd1266439107fc5c070c50dfb

  • SSDEEP

    49152:EkAG2QGTC5xvMdgpdb1KRzGepUu2cGbq7oc+tuNAn:EkAjQGTCnvMmpEQqUPn

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 16 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe
    "C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\VideoCodeCX.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4540
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Modifies WinLogon for persistence
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0BB8B8EB267849856B4B119C0B1B06B7
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3668
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89638F01A24B98B62329D46935105515 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e5f82f7.rbs
    Filesize

    107KB

    MD5

    9cac17273658439b3dc92b8a64ce417c

    SHA1

    768b13ea4dcfa4b436aebcfa1c1578bb4811b687

    SHA256

    5131f7ff9941787015cde7c71292b47a30652e092e274d7b9de8be296ba2f8b1

    SHA512

    7ceb234e45952698dc878eb38971670779b4928365cf11f31648474a66f704138ca3070b0f6016c1be04314edc99d6e46c29819e77cb40737ad75c28e5083a3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini
    Filesize

    84B

    MD5

    4bba3dd86d894af26b3297b57b0b5f4c

    SHA1

    ce4754a670bb7d328aaa0e5413f092cbcf347974

    SHA256

    4d73987d5f3b0d7fd4ff4858aa36d560cbc4557cefa97cd0e01f5f89a100de31

    SHA512

    064b50c6335238e3efab5cb63579b8d96a97270c2eafc80c407caf79ffb1a279335b728e01096f3f6ef144d63d035dac4a26a53f429b7a0272a35cf887ddd13f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\tracking.ini
    Filesize

    84B

    MD5

    30be5764b3a04f2a4e2b33ccfb2dbea3

    SHA1

    5a724b3325e3dc5d66ab3b0e7c03b55f5184a741

    SHA256

    d1e026846532605cb1f9a1104389cde38a28860145accdba48ee6bcd5e9d2541

    SHA512

    ce22de370ca513301fab5f708878a651be5bc0f33a25c61a8cb3555e180c99932205af8c7561da438e23eec95033d0241c2aff69b857eb99de0dc37656319756

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{478BFC75-0CD1-4B9B-BDB9-69ABE01EA334}.session
    Filesize

    5KB

    MD5

    8d22028b170b86ae5d0cd9a37894dfa5

    SHA1

    3378a6884868c07bbb89795b2e64cf2e0e3f6636

    SHA256

    2e16465352cd5d711625963250d19eb29f61af0fea7afc82e4a985ae2e269aa1

    SHA512

    d71e0d8ada53de2fa4ec4f9b92b3d22d2b1e7e95eead48b7e46c8c27561962e449e90a2e56aee3efbba659c6bdf04b8ce04b60eac47d5b17002bfe2257598a32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{478BFC75-0CD1-4B9B-BDB9-69ABE01EA334}.session
    Filesize

    3KB

    MD5

    bdf62265f7e837a1ba38416b3a92ad57

    SHA1

    1d2dcb75d756225bbb78445e94fee31a3bf9c188

    SHA256

    a1ad239b9cac3d85badc0d277fa01a6938b36166b3d9e691ece41552118c7838

    SHA512

    0733176280b17b49ed1de8b2ddb4e5d9586ec308ef526b50b1e2beb767a846f2fbbc7bb442f2273cd2c6d9af47f85a3dee6bfb3384e942e4aadc1ef2465b2c7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Video CodeC X\2.0.0.0\{478BFC75-0CD1-4B9B-BDB9-69ABE01EA334}.session
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\Video CodeC X.msi
    Filesize

    1.1MB

    MD5

    5a62fc6cb914c167550b337e86e8a933

    SHA1

    7a6bf8f179aed33057a694966b45a7928f1698b7

    SHA256

    f32c666abd8d50bce93391840de7c8d9969b75d42aea3bee61d68be411e3ffe3

    SHA512

    6a64db837e86eed6b2227b6e3df35a1f9f761cac890ea1475a1c42ec4c511bd3a622737ccfd133a5682c0ca226d046dfb60140c7001be40c574e41f10df396b9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\F1CBFAF\bsoderror.exe
    Filesize

    84KB

    MD5

    ea3ad4540a9411f051d52788dde2cb53

    SHA1

    641e87b35a4d31d41a1bb842190e6cd830ddea63

    SHA256

    3b5d9aadfdb9c1257ef84e33cdad67cd818334ec8fd40e0968b8b71e2a0eef95

    SHA512

    2f39c3caaf28b2ca592f6268ae0750fa36ecf9eeceaf3a1846162914129a794c0c0224cc7e6c6e55cc2f0b65a18d3e2c1c9bc86252799635e22f4c50ce196c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Video CodeC X\Video CodeC X 2.0.0.0\install\decoder.dll
    Filesize

    126KB

    MD5

    3531cf7755b16d38d5e9e3c43280e7d2

    SHA1

    19981b17ae35b6e9a0007551e69d3e50aa1afffe

    SHA256

    76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

    SHA512

    7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

    Download Submit

  • C:\Windows\Installer\MSI83B0.tmp
    Filesize

    88KB

    MD5

    4083cb0f45a747d8e8ab0d3e060616f2

    SHA1

    dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

    SHA256

    252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

    SHA512

    26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

    Download Submit

  • C:\Windows\Installer\MSI840F.tmp
    Filesize

    180KB

    MD5

    d552dd4108b5665d306b4a8bd6083dde

    SHA1

    dae55ccba7adb6690b27fa9623eeeed7a57f8da1

    SHA256

    a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

    SHA512

    e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

    Download Submit

  • C:\Windows\Installer\MSI8638.tmp
    Filesize

    96KB

    MD5

    3cab78d0dc84883be2335788d387601e

    SHA1

    14745df9595f190008c7e5c190660361f998d824

    SHA256

    604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

    SHA512

    df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

    Download Submit

  • C:\Windows\Installer\MSI8688.tmp
    Filesize

    128KB

    MD5

    7e6b88f7bb59ec4573711255f60656b5

    SHA1

    5e7a159825a2d2cb263a161e247e9db93454d4f6

    SHA256

    59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

    SHA512

    294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

    Download Submit

  • C:\Windows\Installer\MSI86D7.tmp
    Filesize

    312KB

    MD5

    aa82345a8f360804ea1d8d935f0377aa

    SHA1

    c09cf3b1666d9192fa524c801bb2e3542c0840e2

    SHA256

    9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

    SHA512

    c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

    Download Submit