Overview
overview
7Static
static
7Zoom_Playe...CH.exe
windows7-x64
7Zoom_Playe...CH.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$SYSDIR/ac3config.exe
windows7-x64
1$SYSDIR/ac3config.exe
windows10-2004-x64
1$SYSDIR/ac3filter.dll
windows7-x64
1$SYSDIR/ac3filter.dll
windows10-2004-x64
1$SYSDIR/av...er.dll
windows7-x64
1$SYSDIR/av...er.dll
windows10-2004-x64
1$SYSDIR/cd...er.dll
windows7-x64
1$SYSDIR/cd...er.dll
windows10-2004-x64
1$SYSDIR/cd...er.dll
windows7-x64
1$SYSDIR/cd...er.dll
windows10-2004-x64
1DefaultSettings.exe
windows7-x64
7DefaultSettings.exe
windows10-2004-x64
7zpic.exe
windows7-x64
3zpic.exe
windows10-2004-x64
3zplayer.exe
windows7-x64
7zplayer.exe
windows10-2004-x64
3zpresampler.dll
windows7-x64
7zpresampler.dll
windows10-2004-x64
7zpupdate.exe
windows7-x64
7zpupdate.exe
windows10-2004-x64
7新云软件.url
windows7-x64
1新云软件.url
windows10-2004-x64
1Analysis
-
max time kernel
92s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 03:59
Behavioral task
behavioral1
Sample
Zoom_Player_Premium_6.00_RC2_Plus_SCH.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
Zoom_Player_Premium_6.00_RC2_Plus_SCH.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$SYSDIR/ac3config.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$SYSDIR/ac3config.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$SYSDIR/ac3filter.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$SYSDIR/ac3filter.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$SYSDIR/avi2ac3filter.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
$SYSDIR/avi2ac3filter.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$SYSDIR/cddareader.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$SYSDIR/cddareader.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$SYSDIR/cdxareader.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
$SYSDIR/cdxareader.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
DefaultSettings.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
DefaultSettings.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
zpic.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
zpic.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
zplayer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
zplayer.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
zpresampler.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
zpresampler.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
zpupdate.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
zpupdate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
新云软件.url
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
新云软件.url
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
$SYSDIR/cddareader.dll
-
Size
260KB
-
MD5
b7d7fb864c0a9db026666c5f4fe03f41
-
SHA1
0d09fdf842e09c3add9439074ac63117526710f8
-
SHA256
e9dffd5f24879cf36af0901d82f620891ce738f572db26a6aaf4100932e4f64e
-
SHA512
cc383c56d778391442a6c51821c791633f7b9533218d41e2a7327355321949754c0eeb6aeaa189a0c73f10af1d509777a53b0c3ac6c880763f56f486b68db72c
-
SSDEEP
3072:mad+fI2CxCz6SiWVhDERfJ+egGROBuvF15+V8bjd61wr730nUwTj6Q0tl9io/Sfo:y8CmSnDERfcegLUbl6rsQi9io/SW
Malware Config
Signatures
-
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.cda regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54A35221-2C8D-4A31-A5DF-6D809847E393}\ = "CDDA Reader" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54A35221-2C8D-4A31-A5DF-6D809847E393}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{54A35221-2C8D-4A31-A5DF-6D809847E393}\CLSID = "{54A35221-2C8D-4A31-A5DF-6D809847E393}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{54A35221-2C8D-4a31-A5DF-6D809847E393}\0 = "0,4,,52494646,8,4,,43444441" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.cda\Source Filter = "{54A35221-2C8D-4a31-A5DF-6D809847E393}" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{54A35221-2C8D-4A31-A5DF-6D809847E393}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba7708beb36e44f52ce119f530020af0ba770 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{54A35221-2C8D-4a31-A5DF-6D809847E393}\Source Filter = "{54A35221-2C8D-4a31-A5DF-6D809847E393}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54A35221-2C8D-4A31-A5DF-6D809847E393}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\cddareader.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54A35221-2C8D-4A31-A5DF-6D809847E393}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{54A35221-2C8D-4A31-A5DF-6D809847E393} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{54A35221-2C8D-4A31-A5DF-6D809847E393}\FriendlyName = "CDDA Reader" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54A35221-2C8D-4A31-A5DF-6D809847E393} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{54A35221-2C8D-4a31-A5DF-6D809847E393} regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2740 2824 regsvr32.exe 83 PID 2824 wrote to memory of 2740 2824 regsvr32.exe 83 PID 2824 wrote to memory of 2740 2824 regsvr32.exe 83