f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 16:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lib/DroidCamFilter32.dll
Size

84KB
MD5

efe71ae8a02ca59a0855cd649f5e58b8
SHA1

0a5ba3257ad82f71890c0fa55a5f7405d0b6b4ac
SHA256

ffb22ab7b98ecc98c22cf675bfab61c875127137277e1f66bc3d7269c3b42652
SHA512

bad93c560355019f739158d2a25e7643a08cdcb000b378099aa2431ba4d023aa72741e674912d738b0ac6d21e44417f5406eee67f16035f6a783a5226b0d65a4
SSDEEP

1536:Jld1X/W0/2LAd2btU5b7ToSWVd1MjYx0EY6uJotlzoOaB2mu0gFfhdtmPv2kXlOZ:J/1Xue2LY2e5b7ToSWV7MjYFuJotlSug

Score

1^/10

Malware Config

Signatures

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lib\\DroidCamFilter32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2196	2384	regsvr32.exe	85
PID 2384 wrote to memory of 2196	2384	regsvr32.exe	85
PID 2384 wrote to memory of 2196	2384	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\lib\DroidCamFilter32.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\lib\DroidCamFilter32.dll
  2⤵
  - Modifies registry class
  PID:2196

Network

DNS

69.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.31.126.40.in-addr.arpa

IN PTR

Response
DNS

200.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.178.17.96.in-addr.arpa

IN PTR

Response

200.178.17.96.in-addr.arpa

IN PTR

a96-17-178-200deploystaticakamaitechnologiescom
DNS

58.99.105.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.99.105.20.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

197.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.178.17.96.in-addr.arpa

IN PTR

Response

197.178.17.96.in-addr.arpa

IN PTR

a96-17-178-197deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

210.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.178.17.96.in-addr.arpa

IN PTR

Response

210.178.17.96.in-addr.arpa

IN PTR

a96-17-178-210deploystaticakamaitechnologiescom
DNS

210.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.143.182.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

69.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

69.31.126.40.in-addr.arpa
8.8.8.8:53

200.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

200.178.17.96.in-addr.arpa
8.8.8.8:53

58.99.105.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

58.99.105.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

197.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

197.178.17.96.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

210.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

210.178.17.96.in-addr.arpa
8.8.8.8:53

210.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

210.143.182.52.in-addr.arpa

Windows 7 deprecation

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.