Malware Analysis Report

2025-08-06 02:16

Sample ID 241112-q8xfgaxkhn
Target 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe
SHA256 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d

Threat Level: Likely malicious

The file 4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Adds policy Run key to start application

Executes dropped EXE

Deletes itself

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 13:56

Reported

2024-11-12 13:58

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\directzqt.exe" C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\webcam_plugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 2424 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 2424 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 1732 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 1732 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 1732 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 2424 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe

"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"

C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe

C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c UNISTA~1.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 savudenko.org udp
US 8.8.8.8:53 sava80.co.ua udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

MD5 0e9f3d5984c0dd66a119827f059c37dc
SHA1 ae073559b8835016c2e9e9e26c4ba6e0596d4c66
SHA256 7f4d8a10c95b697cf6ace524ae3daf07bfcd5693f4edd860093dec7ebf189859
SHA512 2ea5618653187b9a934e9c0109158e9ec9af2eef7dddb2c609b9763064fcff855921b1a479159a0e1121c7a019b32df57b5c24d7e86ddbeb44a55ea845b89baf

memory/2756-9-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

MD5 5c30aba45a5f3570dbe03c201211639f
SHA1 026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3
SHA256 2b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468
SHA512 d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2

memory/2756-18-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 13:56

Reported

2024-11-12 13:58

Platform

win7-20240729-en

Max time kernel

110s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\lqservicevk.exe" C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\webcam_plugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 2544 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 2544 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 2544 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
PID 704 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 704 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 704 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 704 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\webcam_plugin.exe C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
PID 2544 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe

"C:\Users\Admin\AppData\Local\Temp\4efd17292299babf4e79591ceb5b677fc2383d1c5e6fc92984f7cd46c98cdb9d.exe"

C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe

C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c UNISTA~1.BAT

Network

Country Destination Domain Proto
US 8.8.8.8:53 sava80.co.ua udp
US 8.8.8.8:53 mh29.mobyhost.ru udp

Files

\Users\Admin\AppData\Roaming\webcam_plugin.exe

MD5 5c7f9a19211d6c94f3e9f68e826e7001
SHA1 2264deb1fce291628e8f84446d6b4893c876b591
SHA256 80b3f898385f4a3a4c67c0afe8a866b64174d1638c0705fb53c17b653b066f37
SHA512 8e1c11ca54edc176755f20bd743e5d2ceec441414b82e9a62a196f29b9479d9c71e56e701a0c66a873ef6ed006a5dcf100cf1baf20423b8528eca0ef5ede50e3

memory/2244-13-0x0000000000400000-0x000000000041A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unistalliveshows.bat

MD5 5c30aba45a5f3570dbe03c201211639f
SHA1 026a47d682dc18d3dc82eaad16dfc1c7f86a9ad3
SHA256 2b90b9108ea7e3040dcb6dbceae60b34e23d35bbaf717c7a616f2af19e6f6468
SHA512 d6eabc5f43ce9ff7cad8659531e3d8ec2d35d01c4bff13f53d5f226f726f869b2a0c8ab22a87d28a77a0c3acbe5191ab3d944863709d2b6767545c9af78c77e2

memory/2244-27-0x0000000000400000-0x000000000041A000-memory.dmp