Analysis
-
max time kernel
110s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
Resource
win10v2004-20241007-en
General
-
Target
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
-
Size
70KB
-
MD5
c5d1a9f4c4f854393c9fa13c42073607
-
SHA1
a3845a005475709a09efa229e7ee84e9b4bb7861
-
SHA256
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d
-
SHA512
18e4548f96f7a1c03d970dc9d4d10f2da849126ad2ef92b1c50a37b355013d245954f1a129b837a1c24acea1efdd7e657344c3217a02971b48edb3c0fc8e1aca
-
SSDEEP
1536:OkVxqmQSMvEhyEwhND3ugqqM/D2XkQ5XRBMtxKvYxV8:OsftMvLdnD3ZFK2XL57MtxgYY
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run webcam_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\lqservicevk.exe" webcam_plugin.exe -
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 704 webcam_plugin.exe 2244 webcam_plugin.exe -
Loads dropped DLL 2 IoCs
pid Process 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 704 webcam_plugin.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language webcam_plugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language webcam_plugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2244 webcam_plugin.exe 2244 webcam_plugin.exe 2244 webcam_plugin.exe 2244 webcam_plugin.exe 2244 webcam_plugin.exe 2244 webcam_plugin.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2544 wrote to memory of 704 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 29 PID 2544 wrote to memory of 704 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 29 PID 2544 wrote to memory of 704 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 29 PID 2544 wrote to memory of 704 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 29 PID 704 wrote to memory of 2244 704 webcam_plugin.exe 30 PID 704 wrote to memory of 2244 704 webcam_plugin.exe 30 PID 704 wrote to memory of 2244 704 webcam_plugin.exe 30 PID 704 wrote to memory of 2244 704 webcam_plugin.exe 30 PID 2544 wrote to memory of 2772 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 32 PID 2544 wrote to memory of 2772 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 32 PID 2544 wrote to memory of 2772 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 32 PID 2544 wrote to memory of 2772 2544 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\webcam_plugin.exeC:\Users\Admin\AppData\Roaming\webcam_plugin.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exeC:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c UNISTA~1.BAT2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD55c30aba45a5f3570dbe03c201211639f
SHA1026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3
SHA2562b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468
SHA512d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2
-
Filesize
70KB
MD55c7f9a19211d6c94f3e9f68e826e7001
SHA12264deb1fce291628e8f84446d6b4893c876b591
SHA25680b3f898385f4a3a4c67c0afe8a866b64174d1638c0705fb53c17b653b066f37
SHA5128e1c11ca54edc176755f20bd743e5d2ceec441414b82e9a62a196f29b9479d9c71e56e701a0c66a873ef6ed006a5dcf100cf1baf20423b8528eca0ef5ede50e3