Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

IEW113_2311a.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\Config.Msi\3b1c82.rbs

data

dropped

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\Driver\ImagingEdgeWebcam_Driver.inf

Windows setup INFormation

dropped

C:\Program Files\Sony\Imaging Edge Webcam\Driver\imagingedgewebcam.cat

data

dropped

C:\Program Files\Sony\Imaging Edge Webcam\EULA.rtf

Rich Text Format data, version 1, ANSI

dropped

C:\Program Files\Sony\Imaging Edge Webcam\ImagingEdgeWebcamLauncher.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\License.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (760), with CRLF line terminators

dropped

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_USB.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\Lja_PTP_WIA.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\LjAdapter\libusb-1.0.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\LjCore.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\USBReset.exe

PE32+ executable (console) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\Webcam.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\default.jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 1024x576, components 3

dropped

C:\Program Files\Sony\Imaging Edge Webcam\mfc140u.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\mfcm140u.dll

PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\msvcp140.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\vcruntime140.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Program Files\Sony\Imaging Edge Webcam\webcam_help.ico

MS Windows icon resource - 5 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 64x64, 32 bits/pixel

dropped

C:\Users\user\AppData\Local\Temp\MSIF12C.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\MSIF18A.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Imaging Edge Webcam, Author: Sony Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Imaging Edge Webcam., Create Time/Date: Fri Oct 6 08:39:02 2023, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Template: x64;0, Last Saved By: x64;0, Revision Number: {77F8518A-144A-4DB2-80EB-C544B68375EE}1.1.03.10061;{95690A63-A7AD-4F7B-8CD3-F94BF8573A8E}1.1.03.10061;{28FB0552-E7A4-4193-ACA1-2CA8F06EC841}, Number of Pages: 300, Number of Characters: 0

dropped

C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Support\E8FF0748-2339-49f9-9A79-824D7561736C.cab

Microsoft Cabinet archive data, Windows 2000/XP setup, 4828811 bytes, 1 file, at 0x2c +AUtf? "SetupIEW.msi", number 1, 240 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Support\Settings.ini

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.cat (copy)

data

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.inf (copy)

Windows setup INFormation

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET25F7.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2618.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2638.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\SET2658.tmp

Windows setup INFormation

dropped

C:\Windows\INF\c_camera.PNF

Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1728 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB

dropped

C:\Windows\INF\setupapi.dev.log

Generic INItialization configuration [BeginLog]

dropped

C:\Windows\Installer\3b1c81.msi

dropped

C:\Windows\Installer\MSI1E56.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Windows\Installer\MSI1EC5.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI1F71.tmp

data

dropped

C:\Windows\Installer\MSI1F92.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI239A.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

modified

C:\Windows\Installer\SourceHash{77F8518A-144A-4DB2-80EB-C544B68375EE}

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Installer\inprogressinstallinfo.ipi

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat (copy)

data

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf (copy)

Windows setup INFormation

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27DC.tmp

data

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27EC.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET27FD.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\SET282D.tmp

Windows setup INFormation

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

data

dropped

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

data

dropped

C:\Windows\Temp\~DF078B503D22F595BD.TMP

data

dropped

C:\Windows\Temp\~DF374548108D8C982B.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DF42DCA64EBD2EB59D.TMP

data

dropped

C:\Windows\Temp\~DF7C575039BFD3D0D1.TMP

data

dropped

There are 62 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\IEW113_2311a.exe

"C:\Users\user\Desktop\IEW113_2311a.exe"

C:\Users\user\Desktop\IEW113_2311a.exe

"C:\Users\user\Desktop\IEW113_2311a.exe" -run {192AB307-8DDD-45B1-BC93-D10838BCC13F} 0|Yes|No|C:\Windows\System32\msiexec.exe /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{94bae122-cba7-1d4a-abe9-55200fb5c9ba} Global\{f15111e6-e2a2-7143-bb08-c644d6dcff21} C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam_Driver.inf C:\Windows\System32\DriverStore\Temp\{3347bb72-55b2-694f-9e55-f9870c8dc803}\ImagingEdgeWebcam.cat

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i C:\Users\user\AppData\Local\Temp\SPackTool\{89B93025-7962-486C-9882-CB09CA156C38}\Package\SetupIEW.msi

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

C:\Windows\System32\MsiExec.exe -Embedding 87308A77B4DC65560968A93A1904E71A C

C:\Windows\System32\msiexec.exe

C:\Windows\System32\MsiExec.exe -Embedding 026172C647FCA3CC45C109DD1CF65201

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1F622DA67DE9472AD76099B184CCC342

C:\Windows\System32\msiexec.exe

C:\Windows\System32\MsiExec.exe -Embedding 41D4778385EEC697935AEB0EB737BBE8 E Global\MSI0000

C:\Windows\System32\cmd.exe

cmd /c pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\pnputil.exe

pnputil /add-driver "C:\Program Files\Sony\Imaging Edge Webcam\Driver\*.inf" /install

C:\Windows\System32\drvinst.exe

DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{62ac3150-e217-504f-99b6-ba32b85dda90}\ImagingEdgeWebcam_Driver.inf" "9" "40c79f59f" "000000000000015C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Sony\Imaging Edge Webcam\Driver"

There are 3 hidden processes, click here to show them.

URLs

Name

Malicious

http://libusb.infoneed

unknown

http://wixtoolset.org

unknown

https://github.com/microsoft/Windows-driver-samples)

unknown

http://www.gnu.org/licenses/lgpl-2.1.htmlF

unknown

https://oss.sony.net/Products/Linux/

unknown

http://libusb.info

unknown

https://support.d-imaging.sony.co.jp/app/webcam/l/instruction/index.php

unknown

Domains

Name

Malicious

56.163.245.4.in-addr.arpa

unknown

198.187.3.20.in-addr.arpa

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Config.Msi\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\3b1c82.rbs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\3b1c82.rbsLow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\565B39C49C142B848B2611F6FE85CE1C