Analysis Overview
SHA256
4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d
Threat Level: Likely malicious
The file 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe was found to be: Likely malicious.
Malicious Activity Summary
Adds policy Run key to start application
Executes dropped EXE
Deletes itself
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 13:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 13:56
Reported
2024-11-12 13:58
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
97s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\directzqt.exe" | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\webcam_plugin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"
C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c UNISTA~1.BAT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | savudenko.org | udp |
| US | 8.8.8.8:53 | sava80.co.ua | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
| MD5 | 0e9f3d5984c0dd66a119827f059c37dc |
| SHA1 | ae073559b8835016c2e9e9e26c4ba6e0596d4c66 |
| SHA256 | 7f4d8a10c95b697cf6ace524ae3daf07bfcd5693f4edd860093dec7ebf189859 |
| SHA512 | 2ea5618653187b9a934e9c0109158e9ec9af2eef7dddb2c609b9763064fcff855921b1a479159a0e1121c7a019b32df57b5c24d7e86ddbeb44a55ea845b89baf |
memory/2756-9-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat
| MD5 | 5c30aba45a5f3570dbe03c201211639f |
| SHA1 | 026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3 |
| SHA256 | 2b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468 |
| SHA512 | d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2 |
memory/2756-18-0x0000000000400000-0x000000000041A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 13:56
Reported
2024-11-12 13:58
Platform
win7-20240729-en
Max time kernel
110s
Max time network
17s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\lqservicevk.exe" | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\webcam_plugin.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\webcam_plugin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"
C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c UNISTA~1.BAT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sava80.co.ua | udp |
| US | 8.8.8.8:53 | mh29.mobyhost.ru | udp |
Files
\Users\Admin\AppData\Roaming\webcam_plugin.exe
| MD5 | 5c7f9a19211d6c94f3e9f68e826e7001 |
| SHA1 | 2264deb1fce291628e8f84446d6b4893c876b591 |
| SHA256 | 80b3f898385f4a3a4c67c0afe8a866b64174d1638c0705fb53c17b653b066f37 |
| SHA512 | 8e1c11ca54edc176755f20bd743e5d2ceec441414b82e9a62a196f29b9479d9c71e56e701a0c66a873ef6ed006a5dcf100cf1baf20423b8528eca0ef5ede50e3 |
memory/2244-13-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat
| MD5 | 5c30aba45a5f3570dbe03c201211639f |
| SHA1 | 026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3 |
| SHA256 | 2b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468 |
| SHA512 | d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2 |
memory/2244-27-0x0000000000400000-0x000000000041A000-memory.dmp