Overview
overview
7Static
static
7Zoom_Playe...CH.exe
windows7-x64
7Zoom_Playe...CH.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$SYSDIR/ac3config.exe
windows7-x64
1$SYSDIR/ac3config.exe
windows10-2004-x64
1$SYSDIR/ac3filter.dll
windows7-x64
1$SYSDIR/ac3filter.dll
windows10-2004-x64
1$SYSDIR/av...er.dll
windows7-x64
1$SYSDIR/av...er.dll
windows10-2004-x64
1$SYSDIR/cd...er.dll
windows7-x64
1$SYSDIR/cd...er.dll
windows10-2004-x64
1$SYSDIR/cd...er.dll
windows7-x64
1$SYSDIR/cd...er.dll
windows10-2004-x64
1DefaultSettings.exe
windows7-x64
7DefaultSettings.exe
windows10-2004-x64
7zpic.exe
windows7-x64
3zpic.exe
windows10-2004-x64
3zplayer.exe
windows7-x64
7zplayer.exe
windows10-2004-x64
3zpresampler.dll
windows7-x64
7zpresampler.dll
windows10-2004-x64
7zpupdate.exe
windows7-x64
7zpupdate.exe
windows10-2004-x64
7新云软件.url
windows7-x64
1新云软件.url
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 03:59 UTC
Behavioral task
behavioral1
Sample
Zoom_Player_Premium_6.00_RC2_Plus_SCH.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
Zoom_Player_Premium_6.00_RC2_Plus_SCH.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$SYSDIR/ac3config.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$SYSDIR/ac3config.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$SYSDIR/ac3filter.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$SYSDIR/ac3filter.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$SYSDIR/avi2ac3filter.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
$SYSDIR/avi2ac3filter.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$SYSDIR/cddareader.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$SYSDIR/cddareader.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$SYSDIR/cdxareader.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
$SYSDIR/cdxareader.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
DefaultSettings.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
DefaultSettings.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
zpic.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
zpic.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
zplayer.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
zplayer.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
zpresampler.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
zpresampler.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
zpupdate.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
zpupdate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
新云软件.url
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
新云软件.url
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
$SYSDIR/ac3filter.dll
-
Size
504KB
-
MD5
f083331b79850b0f6cd77b3a51ed6c00
-
SHA1
b7cc99c26a9477f4d8f9f92b60783eac03ac4965
-
SHA256
0d4fb95c124553b36a875c830fa0f7a49ba4ec9f21e1736b141225f1f9b4e48c
-
SHA512
eeeee070d4121c3383e716f6be4ce2e1a295faab691b799b10b02786bf1feec6b950c8320d68ad7c88986f739465c47d682c6fefec083f9f98b1f52798a9dfaa
-
SSDEEP
6144:D7l0o7/SrT9rCEs4+uU8Z90qvlnL0PNAILa/Mwyy8uG9g:D7l0QiW4+uUs6q5IO/Mw5
Malware Config
Signatures
-
Modifies registry class 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0B801B1-A239-473B-B6B4-6AE3DB3ABBD3}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02AFA80F-4BEE-41FD-8572-214B58A9EF90}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\ac3filter.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{363F46BE-27B4-4C8D-99E7-B1E049B84376}\ = "AC3Filter System page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90A9B7D2-3794-45EA-9E23-140E3938D2D9}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A753A1EC-973E-4718-AF8E-A3F554D45C44} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA5FB05-58C3-45CB-8B0D-C2313EA048CF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\ac3filter.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0B801B1-A239-473B-B6B4-6AE3DB3ABBD3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\ac3filter.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90A9B7D2-3794-45EA-9E23-140E3938D2D9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\ac3filter.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0B801B1-A239-473B-B6B4-6AE3DB3ABBD3}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02AFA80F-4BEE-41FD-8572-214B58A9EF90}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A753A1EC-973E-4718-AF8E-A3F554D45C44} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\FriendlyName = "AC3Filter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02AFA80F-4BEE-41FD-8572-214B58A9EF90} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{363F46BE-27B4-4C8D-99E7-B1E049B84376}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{363F46BE-27B4-4C8D-99E7-B1E049B84376}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90A9B7D2-3794-45EA-9E23-140E3938D2D9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90A9B7D2-3794-45EA-9E23-140E3938D2D9}\ = "AC3Filter About page" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA5FB05-58C3-45CB-8B0D-C2313EA048CF}\ = "AC3Filter Main page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0B801B1-A239-473B-B6B4-6AE3DB3ABBD3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02AFA80F-4BEE-41FD-8572-214B58A9EF90}\ = "AC3Filter Gains page" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02AFA80F-4BEE-41FD-8572-214B58A9EF90}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{363F46BE-27B4-4C8D-99E7-B1E049B84376} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90A9B7D2-3794-45EA-9E23-140E3938D2D9}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\ac3filter.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA5FB05-58C3-45CB-8B0D-C2313EA048CF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0B801B1-A239-473B-B6B4-6AE3DB3ABBD3}\ = "AC3Filter Mixer page" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\ = "AC3Filter" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA5FB05-58C3-45CB-8B0D-C2313EA048CF}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{363F46BE-27B4-4C8D-99E7-B1E049B84376}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$SYSDIR\\ac3filter.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\CLSID = "{A753A1EC-973E-4718-AF8E-A3F554D45C44}" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A753A1EC-973E-4718-AF8E-A3F554D45C44}\FilterData = 020000000000004002000000000000003070693300000000000000001200000000000000000000003074793300000000700100008001000031747933000000007001000090010000327479330000000070010000a0010000337479330000000070010000b0010000347479330000000070010000c00100003574793300000000d0010000800100003674793300000000d0010000900100003774793300000000d0010000a00100003874793300000000d0010000b00100003974793300000000d0010000c00100003a74793300000000e0010000f00100003b74793300000000e0010000000200003c74793300000000e0010000b00100003d74793300000000e0010000100200003e74793300000000e0010000200200003f74793300000000e0010000800100004074793300000000e0010000c00100004174793300000000e0010000a00100003170693308000000000000000100000000000000000000003074793300000000e0010000f001000020806de046dbcf11b4d100805f6cbbea2c806de046dbcf11b4d100805f6cbbea5000000000001000800000aa00389b712b806de046dbcf11b4d100805f6cbbea32806de046dbcf11b4d100805f6cbbea33806de046dbcf11b4d100805f6cbbea6a910bed4d04d111aa7800c04fc31d606175647300001000800000aa00389b710100000000001000800000aa00389b710300000000001000800000aa00389b710020000000001000800000aa00389b710120000000001000800000aa00389b71 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA5FB05-58C3-45CB-8B0D-C2313EA048CF}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30 PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30 PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30 PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30 PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30 PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30 PID 3028 wrote to memory of 2756 3028 regsvr32.exe 30