Analysis
-
max time kernel
110s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
Resource
win10v2004-20241007-en
General
-
Target
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
-
Size
70KB
-
MD5
c5d1a9f4c4f854393c9fa13c42073607
-
SHA1
a3845a005475709a09efa229e7ee84e9b4bb7861
-
SHA256
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d
-
SHA512
18e4548f96f7a1c03d970dc9d4d10f2da849126ad2ef92b1c50a37b355013d245954f1a129b837a1c24acea1efdd7e657344c3217a02971b48edb3c0fc8e1aca
-
SSDEEP
1536:OkVxqmQSMvEhyEwhND3ugqqM/D2XkQ5XRBMtxKvYxV8:OsftMvLdnD3ZFK2XL57MtxgYY
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run webcam_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\directzqt.exe" webcam_plugin.exe -
Executes dropped EXE 2 IoCs
pid Process 1732 webcam_plugin.exe 2756 webcam_plugin.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language webcam_plugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language webcam_plugin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe 2756 webcam_plugin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2424 wrote to memory of 1732 2424 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 83 PID 2424 wrote to memory of 1732 2424 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 83 PID 2424 wrote to memory of 1732 2424 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 83 PID 1732 wrote to memory of 2756 1732 webcam_plugin.exe 84 PID 1732 wrote to memory of 2756 1732 webcam_plugin.exe 84 PID 1732 wrote to memory of 2756 1732 webcam_plugin.exe 84 PID 2424 wrote to memory of 2444 2424 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 104 PID 2424 wrote to memory of 2444 2424 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 104 PID 2424 wrote to memory of 2444 2424 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Roaming\webcam_plugin.exeC:\Users\Admin\AppData\Roaming\webcam_plugin.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exeC:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c UNISTA~1.BAT2⤵
- System Location Discovery: System Language Discovery
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD55c30aba45a5f3570dbe03c201211639f
SHA1026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3
SHA2562b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468
SHA512d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2
-
Filesize
70KB
MD50e9f3d5984c0dd66a119827f059c37dc
SHA1ae073559b8835016c2e9e9e26c4ba6e0596d4c66
SHA2567f4d8a10c95b697cf6ace524ae3daf07bfcd5693f4edd860093dec7ebf189859
SHA5122ea5618653187b9a934e9c0109158e9ec9af2eef7dddb2c609b9763064fcff855921b1a479159a0e1121c7a019b32df57b5c24d7e86ddbeb44a55ea845b89baf