Analysis

  • max time kernel
    91s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 18:50

General

  • Target

    obs-virtualcam-2.0.11-windows-x64-Installer.exe

  • Size

    2.1MB

  • MD5

    b340777dccdcfd5c14aeb14a1700553e

  • SHA1

    5bc5b990439ea84abdbb3f4b2c5b17d8075b6b7d

  • SHA256

    304885dd48f88c6ede872a164b37d7fe11904eb8bda8d197ee6edf71a9f9e451

  • SHA512

    d3d169404721896c13c31ebaf4a08ab5abde7f4c38b61fbfb8b52daf57efaa5ca85ccda5a08a7b7e23eec79ee59a43263a3572f97672e984cebcc0f946c6c651

  • SSDEEP

    24576:s7FUDowAyrTVE3U5F/56Xe/GYif5rT018ssKic6QL3E2vVsjECUAQT45deRV9RY:sBuZrEUMZYifFT0SssKIy029s4C1eH9S

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp" /SL5="$900F0,1321859,832512,C:\Users\Admin\AppData\Local\Temp\obs-virtualcam-2.0.11-windows-x64-Installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:3104
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /n /i:1 "C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll"
        3⤵
        • Loads dropped DLL
        PID:4848

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-0NMBG.tmp\obs-virtualcam-2.0.11-windows-x64-Installer.tmp

          Filesize

          3.1MB

          MD5

          6dd1b17b4ef0d27c0fe9517fb952ec54

          SHA1

          45aeed41983c8aff9a48b37581d96af56cb8d826

          SHA256

          966bdc17532efa46d9106cfb1ad08948229230e64e85de5ec3c50158c48c96a1

          SHA512

          e6e002d2e867e3e3f4f90ba5bd77aa42c246ca6f9be49f15949fd3d13f82c8db3751991e8773960d4e6ca03c46feae8bf575f52614b8485bcf56720372d7addf

        • C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\avutil-58.dll

          Filesize

          895KB

          MD5

          c35c65fec37494d7ef13a15107d1bb06

          SHA1

          39cba714c5dd2ce276a54f7db18e0c07d0685edf

          SHA256

          5cb1e909fd01760df81d23aed8010b616824ec82c26653802c86ec23593ad72a

          SHA512

          d16cf0d00c9009d19a31d4aede43226a51f1a5c14f2fa3605e886c2db66b024b66cb087d259329b6e1fdbde8c0c01c7fa67a3fab8ecca6afd14ed224531b5f53

        • C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\obs-virtualsource.dll

          Filesize

          54KB

          MD5

          07dca43200ff802bab43fd63f68e98c7

          SHA1

          f06a38d1149a274be8c2da7d385c422fb163e1f9

          SHA256

          abc7c7d07cab146a3c64fc16bfcfce8cf5fe4ac84ae589fb3e5871daec6c5e6e

          SHA512

          21a3b93e802469958427ab22b4b84be72d6ae08196338579174e4ae15a4be44ef0a5b956215bbe5bcf7d6bb963ab0815674fc12d0a00e41350d47e247c155256

        • C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\32bit\swscale-7.dll

          Filesize

          484KB

          MD5

          1798de9667da8cc68fdd18894542356c

          SHA1

          902430f76a0cb7238c87df1b21fbf2180f45b1bb

          SHA256

          5cd9df7402954c4b13c2727d0f5a7834d70363f002026ceb89748b8f22a8ac51

          SHA512

          3d3d7df2c954c0ec7f99b3b806822f165473cbe6d5dab1ad7c8159c3fd865f3c77ab4e8ba5bd3e8bb705ed5a5239e2c21e668babb1b31914800ba59892a6080f

        • C:\Users\Admin\AppData\Local\Temp\{autopf}\obs-studio\bin\64bit\obs-virtualsource.dll

          Filesize

          65KB

          MD5

          293966206dbad1c9aa227e3067bc3278

          SHA1

          9964d08cc590be9f45897d2833f08cfdda137dec

          SHA256

          2b4972f0757a2290579d90e753eb3da989cd42c0e19a5440ca883a7106ab2c10

          SHA512

          a428954b76031ecb9f49832e8c05ce3cab8784f4c056a49b33fd25e0dc73882e9e24034b5d7942ea09bfeacf8ffa084848ca35d5a9b01a64c2cf1e02f603dfcd

        • memory/2704-2-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/2704-0-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/2704-10-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/2704-56-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

        • memory/3404-6-0x0000000000A30000-0x0000000000A31000-memory.dmp

          Filesize

          4KB

        • memory/3404-16-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/3404-14-0x0000000000A30000-0x0000000000A31000-memory.dmp

          Filesize

          4KB

        • memory/3404-55-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB

        • memory/3404-11-0x0000000000400000-0x000000000071C000-memory.dmp

          Filesize

          3.1MB