Overview
overview
7Static
static
7Zoom_Playe...CH.exe
windows7-x64
7Zoom_Playe...CH.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$SYSDIR/ac3config.exe
windows7-x64
1$SYSDIR/ac3config.exe
windows10-2004-x64
1$SYSDIR/ac3filter.dll
windows7-x64
1$SYSDIR/ac3filter.dll
windows10-2004-x64
1$SYSDIR/av...er.dll
windows7-x64
1$SYSDIR/av...er.dll
windows10-2004-x64
1$SYSDIR/cd...er.dll
windows7-x64
1$SYSDIR/cd...er.dll
windows10-2004-x64
1$SYSDIR/cd...er.dll
windows7-x64
1$SYSDIR/cd...er.dll
windows10-2004-x64
1DefaultSettings.exe
windows7-x64
7DefaultSettings.exe
windows10-2004-x64
7zpic.exe
windows7-x64
3zpic.exe
windows10-2004-x64
3zplayer.exe
windows7-x64
7zplayer.exe
windows10-2004-x64
3zpresampler.dll
windows7-x64
7zpresampler.dll
windows10-2004-x64
7zpupdate.exe
windows7-x64
7zpupdate.exe
windows10-2004-x64
7新云软件.url
windows7-x64
1新云软件.url
windows10-2004-x64
1Analysis
-
max time kernel
11s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 03:59
Behavioral task
behavioral1
Sample
Zoom_Player_Premium_6.00_RC2_Plus_SCH.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
Zoom_Player_Premium_6.00_RC2_Plus_SCH.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$SYSDIR/ac3config.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$SYSDIR/ac3config.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$SYSDIR/ac3filter.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$SYSDIR/ac3filter.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$SYSDIR/avi2ac3filter.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
$SYSDIR/avi2ac3filter.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$SYSDIR/cddareader.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$SYSDIR/cddareader.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$SYSDIR/cdxareader.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
$SYSDIR/cdxareader.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
DefaultSettings.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
DefaultSettings.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
zpic.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
zpic.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
zplayer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
zplayer.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
zpresampler.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
zpresampler.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
zpupdate.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
zpupdate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
新云软件.url
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
新云软件.url
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
$SYSDIR/cdxareader.dll
-
Size
248KB
-
MD5
ad7626525fcd82da4608aa2813134188
-
SHA1
f74809b1780de796b9c4e98096d0995c4758c972
-
SHA256
000c5e8238c076deef3bd091a8c83af247a2a24ef59252590f04d946804c9471
-
SHA512
32f559b8db5188a989e02031ddaa3ee021b31b8f44ae824697302871ca01cab63ae60696bf3d155a6400d2999ab49a49fccbe0eca9b8fed0382e44460d1f8f92
-
SSDEEP
3072:S35taHwOIkwemfgT3oD44OrKagBGA3PxSoUI4wr73W5UAtMLioEM2y2KO+1:9Ce/3oD4vrKNqo0+LioEfyi
Malware Config
Signatures
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\cdxareader.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D367878E-F3B8-4235-A968-F378EF1B9A44}\CLSID = "{D367878E-F3B8-4235-A968-F378EF1B9A44}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{D367878E-F3B8-4235-A968-F378EF1B9A44} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44}\ = "CDXA Reader" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D367878E-F3B8-4235-A968-F378EF1B9A44} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D367878E-F3B8-4235-A968-F378EF1B9A44} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D367878E-F3B8-4235-A968-F378EF1B9A44}\FriendlyName = "CDXA Reader" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D367878E-F3B8-4235-A968-F378EF1B9A44}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D367878E-F3B8-4235-A968-F378EF1B9A44}\0 = "0,4,,52494646,8,4,,43445841" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D367878E-F3B8-4235-A968-F378EF1B9A44}\Source Filter = "{D367878E-F3B8-4235-A968-F378EF1B9A44}" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29 PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29 PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29 PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29 PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29 PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29 PID 2304 wrote to memory of 1696 2304 regsvr32.exe 29