9a4f371dafc70b6347dc125ec9803df96b2d77511e42bc1c236fbaf1c56be1ef

Analysis

max time kernel
119s
max time network
132s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OverwatchWebcam Win64 v.0.4-97/OverwatchWebcam_Data/StreamingAssets/aa/StandaloneWindows64/actionsce.bundle
Size

17KB
MD5

a906580c3bb6ffda507a2215e5f82d13
SHA1

c032cdc0d4bf8578b7fd955fabea8f5f901a9312
SHA256

5567802d0f0f9c65cedded03efc2aa9cdaddf8c5b9695c8a0f65b96237bf355b
SHA512

ed0dc8dee0e59698f06107c7837dcf2c07f858e7e05ff249d619ed3b8fa866670183b12954863f33916b3f86510099b5cb0e0bf7d882d5dd46d807ad9fabe9c1
SSDEEP

384:pntkN8wIHA7Vt5+wxHKz859FnNfE/Dfw+PpgUF:ptk+wIIJ9HvPpNoY+B1F

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2712	AcroRd32.exe
2712	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2696	2332	cmd.exe	32
PID 2332 wrote to memory of 2696	2332	cmd.exe	32
PID 2332 wrote to memory of 2696	2332	cmd.exe	32
PID 2696 wrote to memory of 2712	2696	rundll32.exe	33
PID 2696 wrote to memory of 2712	2696	rundll32.exe	33
PID 2696 wrote to memory of 2712	2696	rundll32.exe	33
PID 2696 wrote to memory of 2712	2696	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OverwatchWebcam Win64 v.0.4-97\OverwatchWebcam_Data\StreamingAssets\aa\StandaloneWindows64\actionsce.bundle"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\OverwatchWebcam Win64 v.0.4-97\OverwatchWebcam_Data\StreamingAssets\aa\StandaloneWindows64\actionsce.bundle
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OverwatchWebcam Win64 v.0.4-97\OverwatchWebcam_Data\StreamingAssets\aa\StandaloneWindows64\actionsce.bundle"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c6e167f8e5d8e6b0c7ea21a531f4ebd8

SHA1
a79c73740ad961d04f9b1efb6758e71373861e4d

SHA256
c62b126888666e458b184310dc0993b3cf977d24cdf8d682e71f78f5cb7b904c

SHA512
daa625417366fb97f750377e70ec46c60404ce891dfc87fc99c1f1853ed7e5ac942e729b0a4087b4ccc0e1453a5ea46ff9ea8eee75f9b52e286da1ce4d3e78d6

Download Submit