Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 18:50

General

  • Target

    obs-virtualcam-2.0.11-windows-x64-Installer.exe

  • Size

    2.1MB

  • MD5

    b340777dccdcfd5c14aeb14a1700553e

  • SHA1

    5bc5b990439ea84abdbb3f4b2c5b17d8075b6b7d

  • SHA256

    304885dd48f88c6ede872a164b37d7fe11904eb8bda8d197ee6edf71a9f9e451

  • SHA512

    d3d169404721896c13c31ebaf4a08ab5abde7f4c38b61fbfb8b52daf57efaa5ca85ccda5a08a7b7e23eec79ee59a43263a3572f97672e984cebcc0f946c6c651

  • SSDEEP

    24576:s7FUDowAyrTVE3U5F/56Xe/GYif5rT018ssKic6QL3E2vVsjECUAQT45deRV9RY:sBuZrEUMZYifFT0SssKIy029s4C1eH9S

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$400EE,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2860
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"
        3⤵
        • Loads dropped DLL
        PID:2448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

          Filesize

          2.0MB

          MD5

          b1b6486bc0da2577ce1e63af547007be

          SHA1

          32aa84dcd757bd3cfe9eb89ff17bfeadaa9f6d6d

          SHA256

          05d2bddb1b87d2e467b6fbba34372cbcb42a957c214cd4999350d698c05a2dbf

          SHA512

          cefa4dc646982156d88998f6f6763005bf28d14e6a29a13c15b19a228715f33dad09e06dbad3ba8ea4b6e3ebd34f16a4f9f60ad262142d57c9fbfa43405808ad

        • C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll

          Filesize

          895KB

          MD5

          c35c65fec37494d7ef13a15107d1bb06

          SHA1

          39cba714c5dd2ce276a54f7db18e0c07d0685edf

          SHA256

          5cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a

          SHA512

          d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53

        • C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll

          Filesize

          65KB

          MD5

          293966206dbad1c9aa227e3067bc3278

          SHA1

          9964d08cc590be9f45897d2833f08cfdda137dec

          SHA256

          2b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10

          SHA512

          a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd

        • \Users\Admin\AppData\Local\Temp\is-9FTGU.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

          Filesize

          3.1MB

          MD5

          6dd1b17b4ef0d27c0fe9517fb952ec54

          SHA1

          45aeed41983c8aff9a48b37581d96af56cb8d826

          SHA256

          966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1

          SHA512

          e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf

        • \Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll

          Filesize

          799KB

          MD5

          5906023042c6305c61847b19025b49d4

          SHA1

          e4a7ba8c640e5215759b46e9ad101daa153a0bcd

          SHA256

          78be99ea912020fc55b77134b1ec3b17a4f18eacf8253dffdef3bc7245393d07

          SHA512

          2a6d6b0ac519b9500ebf8ab51aae3b5e097282e350ffa8fb2e1fae7f6f729bf57a5a828d29349004d3237d6c788841e893b0d6fcb6349819af25fc1a6d90a38f

        • \Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll

          Filesize

          54KB

          MD5

          07dca43200ff802bab43fd63f68e98c7

          SHA1

          f06a38d1149a274be8c2da7d385c422fb163e1f9

          SHA256

          abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e

          SHA512

          21a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256

        • \Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\swscale-7.dll

          Filesize

          484KB

          MD5

          1798de9667da8cc68fdd18894542356c

          SHA1

          902430f76a0cb7238c87df1b21fbf2180f45b1bb

          SHA256

          5cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51

          SHA512

          3d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f

        • \Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\unins000.exe

          Filesize

          756KB

          MD5

          b69fef98a662f1caf57355cdf4382083

          SHA1

          e346aadda239282ef04ad6ddedbe3f596be190a7

          SHA256

          d700b1e4bc69c497558d6e649a35abcbfdbd51504f145473a9a6a5d03145caa6

          SHA512

          a019504111d2c6691f472223008f9d56a1e6313f3937d1dce5af79728f8d75f0646559c5307f6f35c5e3a1066afd245d6ad6da66526e162d10da4fb02bff3c74

        • memory/2160-1-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/2160-12-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/2160-54-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/2220-13-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/2220-8-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2220-53-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB