1755badfc83739fe2255611e167badd0fc7b42b50f8b898968601724d2dc909b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.0MB
MD5

174a99ce7fd9e7cfe4634a0125a2ecb2
SHA1

ed52ae9a841001a1a94dc9c8699d05621042922d
SHA256

1755badfc83739fe2255611e167badd0fc7b42b50f8b898968601724d2dc909b
SHA512

a080672d69aecf25989322cab361c12904ba6a2709d211632e80d38eff936973149fec010827864929875c808e6fa33c32166bf0b215bfacb24d1b181496741e
SSDEEP

24576:QM3mpg8aR414p55PkFB21FU0KCdwl9y3J2XpKhXQ:Lmm8w49exKCAUJ2XgpQ

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\webrec\WEB30\WebView_L\python_nsibuild.nsi	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\dhplay.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\Version.ini	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\speech_enhance.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\python_nsibuild.nsi	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\aacdec.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\IvsDrawer.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\uninst.exe	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\dhnetsdk.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\h264dec.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\npPlugin.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\postproc.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\DHSurveillanceDll.dll	tmp.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebView_L\VideoWindow.dll	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	webActiveX.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	tmp.exe
2448	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\ProgID\ = "WebView_L.Plugin.1"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin.1\CLSID	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\0	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib\Version = "1.0"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib\Version = "1.0"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\MiscStatus\1	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\FLAGS	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\TypeLib\ = "{A93E209D-61C2-4C33-B65D-A71124B583CF}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\LocalServer32	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin\ = "Plugin Class"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\Version	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\webrec\\WEB30\\WebView_L"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\ = "IPlugin"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin.1\CLSID\ = "{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin\CurVer	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\LocalServer32\ = "\"C:\\Program Files (x86)\\webrec\\WEB30\\WebView_L\\webActiveX.exe\""	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\ToolboxBitmap32	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin\CLSID\ = "{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\VersionIndependentProgID\ = "WebView_L.Plugin"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ = "_IPluginEvents"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{82FA2120-71EC-4BAD-9FB8-F91B21DA8290}	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\TypeLib\ = "{DD09A797-F29F-453D-BA05-43E3A7BCC433}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4C54-9D06-B1CDEC73164D}\Implemented Categories	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\FLAGS\ = "0"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib\ = "{A93E209D-61C2-4C33-B65D-A71124B583CF}"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\TypeLib\ = "{A93E209D-61C2-4C33-B65D-A71124B583CF}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\webPlugin.EXE	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4C54-9D06-B1CDEC73164D}	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\0\win32	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\ = "IPlugin"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\Control	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\Insertable	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\ = "webPlugin 1.0 Type Library"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\ProxyStubClsid32	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\ProgID	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin\CurVer\ = "WebView_L.Plugin.1"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\MiscStatus\ = "0"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\Version\ = "1.0"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\TypeLib	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\TypeLib	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\webPlugin.EXE\AppID = "{82FA2120-71EC-4BAD-9FB8-F91B21DA8290}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\ProxyStubClsid32	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C17B4D63-8A01-4F37-B51E-45D99DCE962F}\TypeLib\Version = "1.0"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\webrec\\WEB30\\WebView_L\\webActiveX.exe, 101"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\AppID = "{82FA2120-71EC-4BAD-9FB8-F91B21DA8290}"	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C5950D30-EEB1-4c54-9D06-B1CDEC73164D}\MiscStatus\1\ = "131473"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\HELPDIR	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib\ = "{A93E209D-61C2-4C33-B65D-A71124B583CF}"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin\CLSID	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}	webActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A93E209D-61C2-4C33-B65D-A71124B583CF}\1.0\0\win32\ = "C:\\Program Files (x86)\\webrec\\WEB30\\WebView_L\\webActiveX.exe"	webActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebView_L.Plugin.1	webActiveX.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2848	2448	tmp.exe	28
PID 2448 wrote to memory of 2848	2448	tmp.exe	28
PID 2448 wrote to memory of 2848	2448	tmp.exe	28
PID 2448 wrote to memory of 2848	2448	tmp.exe	28
PID 2448 wrote to memory of 2960	2448	tmp.exe	29
PID 2448 wrote to memory of 2960	2448	tmp.exe	29
PID 2448 wrote to memory of 2960	2448	tmp.exe	29
PID 2448 wrote to memory of 2960	2448	tmp.exe	29
PID 2448 wrote to memory of 2960	2448	tmp.exe	29
PID 2448 wrote to memory of 2960	2448	tmp.exe	29
PID 2448 wrote to memory of 2960	2448	tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe
  "C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe" /regserver
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2848
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "atl.dll"
  2⤵
  PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe

Filesize
152KB

MD5
3864bf459102c1b7661af36b6f70259c

SHA1
1873eb87816a20579681140bc25d452864f53500

SHA256
7574589781404d7dee83526718189e852a1f94ef5e1c85d698ab544047864590

SHA512
75c5abe7b1488b40d16afd789055e69ccd64e9f2e185493311c63de0938c735dd986d6897033bb8f2c9d08abc87ee8938ad21627791003841f7371a89b7465bc

Download Submit
C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe

Filesize
152KB

MD5
3864bf459102c1b7661af36b6f70259c

SHA1
1873eb87816a20579681140bc25d452864f53500

SHA256
7574589781404d7dee83526718189e852a1f94ef5e1c85d698ab544047864590

SHA512
75c5abe7b1488b40d16afd789055e69ccd64e9f2e185493311c63de0938c735dd986d6897033bb8f2c9d08abc87ee8938ad21627791003841f7371a89b7465bc

Download Submit
C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe

Filesize
152KB

MD5
3864bf459102c1b7661af36b6f70259c

SHA1
1873eb87816a20579681140bc25d452864f53500

SHA256
7574589781404d7dee83526718189e852a1f94ef5e1c85d698ab544047864590

SHA512
75c5abe7b1488b40d16afd789055e69ccd64e9f2e185493311c63de0938c735dd986d6897033bb8f2c9d08abc87ee8938ad21627791003841f7371a89b7465bc

Download Submit
\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe

Filesize
152KB

MD5
3864bf459102c1b7661af36b6f70259c

SHA1
1873eb87816a20579681140bc25d452864f53500

SHA256
7574589781404d7dee83526718189e852a1f94ef5e1c85d698ab544047864590

SHA512
75c5abe7b1488b40d16afd789055e69ccd64e9f2e185493311c63de0938c735dd986d6897033bb8f2c9d08abc87ee8938ad21627791003841f7371a89b7465bc

Download Submit
\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe

Filesize
152KB

MD5
3864bf459102c1b7661af36b6f70259c

SHA1
1873eb87816a20579681140bc25d452864f53500

SHA256
7574589781404d7dee83526718189e852a1f94ef5e1c85d698ab544047864590

SHA512
75c5abe7b1488b40d16afd789055e69ccd64e9f2e185493311c63de0938c735dd986d6897033bb8f2c9d08abc87ee8938ad21627791003841f7371a89b7465bc

Download Submit