b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30

General

Target

b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe
Size

55KB
MD5

c6bbf963ac8813c64ee3b5fca047c870
SHA1

b5b8a5a6dab71983a706471e7a396ec94c219bc1
SHA256

b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30
SHA512

2c0aac9fb7b4382430711728b24d90cd99920a1e02b6ffc09e393dc8651cf62baa4602b67c1b767edf6ca128f3b1d2ac5dd16e0e30628f6e880ba88e05aed8d0
SSDEEP

768:m92omhryTtpkHT8C0wJuuJ+gCVNY5xBdeV6u3i01GFVmA:m6h2w39+jGfuoLR

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	webcam_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IExploreupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsot_Centre\\tutorialxpt.exe"	webcam_plugin.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
37	2236	Process not Found

Executes dropped EXE 2 IoCs

pid	Process
2396	webcam_plugin.exe
2092	webcam_plugin.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	webcam_plugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	webcam_plugin.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1840	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2396	3032	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe	88
PID 3032 wrote to memory of 2396	3032	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe	88
PID 3032 wrote to memory of 2396	3032	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe	88
PID 2396 wrote to memory of 2092	2396	webcam_plugin.exe	89
PID 2396 wrote to memory of 2092	2396	webcam_plugin.exe	89
PID 2396 wrote to memory of 2092	2396	webcam_plugin.exe	89
PID 3032 wrote to memory of 3156	3032	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe	97
PID 3032 wrote to memory of 3156	3032	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe	97
PID 3032 wrote to memory of 3156	3032	b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe	97

C:\Users\Admin\AppData\Local\Temp\b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe
"C:\Users\Admin\AppData\Local\Temp\b3fdfe7275f7257b1d9974df94c5e6899bbd430bd52cd1602f40ae726c960c30N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
  C:\Users\Admin\AppData\Roaming\webcam_plugin.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
    C:\Users\Admin\AppData\Roaming\Microsot_Centre\webcam_plugin.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c UNINST~1.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3156

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzRENEI2NEItRDBEQy00NkY1LTkyQ0EtMjI1RUNGRDFGOTFGfSIgdXNlcmlkPSJ7Njg5QTQ4NjAtQjkxQi00N0IxLThBNkQtNTlBRTJBOUVERDREfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzY1NDhGOUYtNDc1MC00RTAzLTlGMzQtMUZCMkFBMERDQ0U2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDU3OTczNzk4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uninstallwebcamplugin.bat

Filesize
93B

MD5
17a0aeb49a42773be1ad35513a9ef492

SHA1
ed3e33e5a208df6846e0d8bbbf45d0b0ebab62a6

SHA256
fcc09049ffd2045870595974c3887c42ac6b29041423cb8d1fb6ca92fe0dddcb

SHA512
d71df92766a748c22bafb64c848c0783add7dec88c482baa7fc85faaa9eea7311cc91f34c32c285abd48c44c130bf059fd56bf4b471144214ab2a005b823b750

Download Submit
C:\Users\Admin\AppData\Roaming\webcam_plugin.exe

Filesize
55KB

MD5
4f02fb69531d9bb5c7cd7c89887f22f5

SHA1
59de0b975a6dd0c538420210dab381db443b8a32

SHA256
5b3ff41a574bf3110dd08cfed176283a264a128e7a303c22538f14f95d7bb6d1

SHA512
cd5b1ad2b0c5615ca840e8e28c49ea59e783ca27f871c20e523ec263a87ad7668c9af667c317c7d6b3fcba19aef5182eaf0aa9765a5910c2f70515b558009de8

Download Submit
memory/2092-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads