Analysis
-
max time kernel
91s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 18:50
Static task
static1
Behavioral task
behavioral1
Sample
obs-virtualcam-2.0.11-windows-x64-Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
obs-virtualcam-2.0.11-windows-x64-Installer.exe
Resource
win10v2004-20240221-en
General
-
Target
obs-virtualcam-2.0.11-windows-x64-Installer.exe
-
Size
2.1MB
-
MD5
b340777dccdcfd5c14aeb14a1700553e
-
SHA1
5bc5b990439ea84abdbb3f4b2c5b17d8075b6b7d
-
SHA256
304885dd48f88c6ede872a164b37d7fe11904eb8bda8d197ee6edf71a9f9e451
-
SHA512
d3d169404721896c13c31ebaf4a08ab5abde7f4c38b61fbfb8b52daf57efaa5ca85ccda5a08a7b7e23eec79ee59a43263a3572f97672e984cebcc0f946c6c651
-
SSDEEP
24576:s7FUDowAyrTVE3U5F/56Xe/GYif5rT018ssKic6QL3E2vVsjECUAQT45deRV9RY:sBuZrEUMZYifFT0SssKIy029s4C1eH9S
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp -
Loads dropped DLL 4 IoCs
pid Process 3104 regsvr32.exe 3104 regsvr32.exe 3104 regsvr32.exe 4848 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FriendlyName = "OBS-Audio" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\CLSID = "{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\ = "OBS-Audio" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\ = "OBS-Camera" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997} regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b715955593200001000800000aa00389b71 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11D0-BD43-00A0C911CE86} regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000006175647300001000800000aa00389b710100000000001000800000aa00389b71 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{autopf}\\obs-studio\\bin\\32bit\\obs-virtualsource.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A762-90C8-11d0-BD43-00A0C911CE86}\Instance\{B750E5CD-5E7E-4ED3-B675-A5003C439997}\CLSID = "{B750E5CD-5E7E-4ED3-B675-A5003C439997}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{27B05C2D-93DC-474A-A5DA-9BBA34CB2A9C}\FriendlyName = "OBS-Camera" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2704 wrote to memory of 3404 2704 obs-virtualcam-2.0.11-windows-x64-Installer.exe 88 PID 2704 wrote to memory of 3404 2704 obs-virtualcam-2.0.11-windows-x64-Installer.exe 88 PID 2704 wrote to memory of 3404 2704 obs-virtualcam-2.0.11-windows-x64-Installer.exe 88 PID 3404 wrote to memory of 3104 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp 96 PID 3404 wrote to memory of 3104 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp 96 PID 3404 wrote to memory of 3104 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp 96 PID 3404 wrote to memory of 4848 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp 97 PID 3404 wrote to memory of 4848 3404 obs-virtualcam-2.0.11-windows-x64-Installer.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$900F0,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:3104
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"3⤵
- Loads dropped DLL
PID:4848
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD56dd1b17b4ef0d27c0fe9517fb952ec54
SHA145aeed41983c8aff9a48b37581d96af56cb8d826
SHA256966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1
SHA512e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf
-
Filesize
895KB
MD5c35c65fec37494d7ef13a15107d1bb06
SHA139cba714c5dd2ce276a54f7db18e0c07d0685edf
SHA2565cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a
SHA512d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53
-
Filesize
54KB
MD507dca43200ff802bab43fd63f68e98c7
SHA1f06a38d1149a274be8c2da7d385c422fb163e1f9
SHA256abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e
SHA51221a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256
-
Filesize
484KB
MD51798de9667da8cc68fdd18894542356c
SHA1902430f76a0cb7238c87df1b21fbf2180f45b1bb
SHA2565cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51
SHA5123d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f
-
Filesize
65KB
MD5293966206dbad1c9aa227e3067bc3278
SHA19964d08cc590be9f45897d2833f08cfdda137dec
SHA2562b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10
SHA512a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd