Analysis

  • max time kernel
    110s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2024, 13:56

General

  • Target

    4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe

  • Size

    70KB

  • MD5

    c5d1a9f4c4f854393c9fa13c42073607

  • SHA1

    a3845a005475709a09efa229e7ee84e9b4bb7861

  • SHA256

    4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d

  • SHA512

    18e4548f96f7a1c03d970dc9d4d10f2da849126ad2ef92b1c50a37b355013d245954f1a129b837a1c24acea1efdd7e657344c3217a02971b48edb3c0fc8e1aca

  • SSDEEP

    1536:OkVxqmQSMvEhyEwhND3ugqqM/D2XkQ5XRBMtxKvYxV8:OsftMvLdnD3ZFK2XL57MtxgYY

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
    "C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
      C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
        C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c UNISTA~1.BAT
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2444

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

          Filesize

          88B

          MD5

          5c30aba45a5f3570dbe03c201211639f

          SHA1

          026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3

          SHA256

          2b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468

          SHA512

          d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2

        • C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

          Filesize

          70KB

          MD5

          0e9f3d5984c0dd66a119827f059c37dc

          SHA1

          ae073559b8835016c2e9e9e26c4ba6e0596d4c66

          SHA256

          7f4d8a10c95b697cf6ace524ae3daf07bfcd5693f4edd860093dec7ebf189859

          SHA512

          2ea5618653187b9a934e9c0109158e9ec9af2eef7dddb2c609b9763064fcff855921b1a479159a0e1121c7a019b32df57b5c24d7e86ddbeb44a55ea845b89baf

        • memory/2756-9-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/2756-18-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB