Analysis

  • max time kernel
    110s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 13:56

General

  • Target

    4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe

  • Size

    70KB

  • MD5

    c5d1a9f4c4f854393c9fa13c42073607

  • SHA1

    a3845a005475709a09efa229e7ee84e9b4bb7861

  • SHA256

    4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d

  • SHA512

    18e4548f96f7a1c03d970dc9d4d10f2da849126ad2ef92b1c50a37b355013d245954f1a129b837a1c24acea1efdd7e657344c3217a02971b48edb3c0fc8e1aca

  • SSDEEP

    1536:OkVxqmQSMvEhyEwhND3ugqqM/D2XkQ5XRBMtxKvYxV8:OsftMvLdnD3ZFK2XL57MtxgYY

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
    "C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
      C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
        C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c UNISTA~1.BAT
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

          Filesize

          88B

          MD5

          5c30aba45a5f3570dbe03c201211639f

          SHA1

          026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3

          SHA256

          2b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468

          SHA512

          d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2

        • \Users\Admin\AppData\Roaming\webcam_plugin.exe

          Filesize

          70KB

          MD5

          5c7f9a19211d6c94f3e9f68e826e7001

          SHA1

          2264deb1fce291628e8f84446d6b4893c876b591

          SHA256

          80b3f898385f4a3a4c67c0afe8a866b64174d1638c0705fb53c17b653b066f37

          SHA512

          8e1c11ca54edc176755f20bd743e5d2ceec441414b82e9a62a196f29b9479d9c71e56e701a0c66a873ef6ed006a5dcf100cf1baf20423b8528eca0ef5ede50e3

        • memory/2244-13-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2244-27-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB