EzvizStudioSetups(v2.0).exe
This report is generated from a file or URL submitted to this webservice on November 29th 2018 01:50:11 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Network Behavior
- Contacts 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"EzvizStudioSetups_v2.0_.tmp" allocated memory in "C:\Users\%USERNAME%\Desktop\Ezviz Studio.lnk"
"EzvizStudioSetups_v2.0_.tmp" allocated memory in "%PROGRAMFILES%\(x86)\Ezviz Studio\unins000.dat"
"EzvizStudioSetups_v2.0_.tmp" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN"
"update_server.tmp" allocated memory in "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\hicloud\update_server\Uninstall update_server.lnk"
"update_server.tmp" allocated memory in "C:\Program Files (x86)\hicloud\update_server\unins000.dat"
"startUp.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"EzvizStudioSetups_v2.0_.exe" wrote 1500 bytes to a remote process "%TEMP%\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" (Handle: 196)
"EzvizStudioSetups_v2.0_.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" (Handle: 196)
"EzvizStudioSetups_v2.0_.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" (Handle: 196)
"EzvizStudioSetups_v2.0_.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" (Handle: 196)
"EzvizStudioSetups_v2.0_.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" (Handle: 196)
"EzvizStudioSetups_v2.0_.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\NpfDetectApp.exe" (Handle: 664)
"EzvizStudioSetups_v2.0_.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\NpfDetectApp.exe" (Handle: 664)
"EzvizStudioSetups_v2.0_.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\NpfDetectApp.exe" (Handle: 664)
"EzvizStudioSetups_v2.0_.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\NpfDetectApp.exe" (Handle: 664)
"EzvizStudioSetups_v2.0_.tmp" wrote 1500 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\update_server.exe" (Handle: 572)
"EzvizStudioSetups_v2.0_.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\update_server.exe" (Handle: 572)
"EzvizStudioSetups_v2.0_.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\update_server.exe" (Handle: 572)
"EzvizStudioSetups_v2.0_.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\update_server.exe" (Handle: 572)
"EzvizStudioSetups_v2.0_.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\update_server.exe" (Handle: 572)
"EzvizStudioSetups_v2.0_.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 808)
"EzvizStudioSetups_v2.0_.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 808)
"EzvizStudioSetups_v2.0_.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 808)
"EzvizStudioSetups_v2.0_.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 808)
"EzvizStudioSetups_v2.0_.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 796)
"EzvizStudioSetups_v2.0_.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 796)
"EzvizStudioSetups_v2.0_.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 796)
"EzvizStudioSetups_v2.0_.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\Ezviz Studio\EzvizProtect.exe" (Handle: 796)
"update_server.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp" (Handle: 196)
"update_server.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp" (Handle: 196)
"update_server.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp" (Handle: 196)
"update_server.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp" (Handle: 196)
"update_server.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp" (Handle: 196)
"update_server.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\ModProperties.exe" (Handle: 676)
"update_server.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\ModProperties.exe" (Handle: 676)
"update_server.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\ModProperties.exe" (Handle: 676)
"update_server.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\ModProperties.exe" (Handle: 676)
"update_server.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\startUp.exe" (Handle: 584)
"update_server.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\startUp.exe" (Handle: 584)
"update_server.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\startUp.exe" (Handle: 584)
"update_server.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\startUp.exe" (Handle: 584)
"startUp.exe" wrote 1500 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe" (Handle: 544)
"startUp.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe" (Handle: 544)
"startUp.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe" (Handle: 544)
"startUp.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe" (Handle: 544)
"startUp.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\hicloud\update_server\SPUpDateServer.exe" (Handle: 544) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "EzvizStudioSetups_v2.0_.exe" (Show Process)
Spawned process "EzvizStudioSetups_v2.0_.tmp" with commandline "/SL5="$70244
40298272
63488
C:\EzvizStudioSetups_v2.0_.exe"" (Show Process)
Spawned process "NpfDetectApp.exe" with commandline "/q" (Show Process)
Spawned process "update_server.exe" with commandline "/VERYSILENT" (Show Process)
Spawned process "update_server.tmp" with commandline "/SL5="$70194
2352971
53760
%PROGRAMFILES%\(x86)\Ezviz Studio\update_server.exe" /VERYSILENT" (Show Process)
Spawned process "ModProperties.exe" with commandline "update_server" (Show Process)
Spawned process "startUp.exe" (Show Process)
Spawned process "SPUpDateServer.exe" (Show Process)
Spawned process "EzvizProtect.exe" (Show Process)
Spawned process "EzvizProtect.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 22
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "SPUpDateServer.exe" at 00021460-00002764-00000033-344674036063
- source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"update_server.tmp" queried SystemProcessInformation at 00018888-00003328-00000033-210977596159
"update_server.tmp" queried SystemProcessInformation at 00018888-00003328-00000033-211020438309
"startUp.exe" queried SystemProcessInformation at 00020039-00003584-00000033-263893230798
"SPUpDateServer.exe" queried SystemProcessInformation at 00021460-00002764-00000033-344853106278 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
-
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"NpfDetectApp.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"update_server.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"startUp.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"SPUpDateServer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "SPUpDateServer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Reads configuration files
- details
-
"EzvizStudioSetups_v2.0_.tmp" read file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"EzvizStudioSetups_v2.0_.tmp" read file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"update_server.tmp" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
"update_server.tmp" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "SPUPDATESERVERRUN"; Value: "%PROGRAMFILES%\(x86)\hicloud\update_server\startUp.exe") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1060 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies auto-execute functionality by setting/creating a value in the registry
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"1.0.1.20"
Heuristic match: "2018-11-29 04:20:00,687 [0x00000b54] ERROR SPUPDATE - GetVisionNodeInfo success ,path:SOFTWARE\shipin7\shipin7_update_server,Vision:1.0.1.20"
Heuristic match: "2018-11-29 04:21:00,406 [0x00000940] ERROR SPUPDATE - GetVisionNodeInfo success ,path:SOFTWARE\shipin7\shipin7_update_server,Vision:1.0.1.20"
Heuristic match: "2018-11-29 04:26:00,687 [0x00000940] ERROR SPUPDATE - GetVisionNodeInfo success ,path:SOFTWARE\shipin7\shipin7_update_server,Vision:1.0.1.20"
Heuristic match: "2018-11-29 04:26:00,734 [0x00000940] ERROR SPUPDATE - GetVisionNodeInfo success ,path:SOFTWARE\shipin7\shipin7_update_server,Vision:1.0.1.20" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 54.156.168.153 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\EzvizStudioSetups_v2.0_.exe" marked "%TEMP%\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" for deletion
"C:\EzvizStudioSetups_v2.0_.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-MKA08.tmp" for deletion
"%PROGRAMFILES%\(x86)\Ezviz Studio\update_server.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp" for deletion
"%PROGRAMFILES%\(x86)\Ezviz Studio\update_server.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp" for deletion
"%TEMP%\is-KC42G.tmp\update_server.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\ISTask.dll" for deletion
"%TEMP%\is-KC42G.tmp\update_server.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup\_RegDLL.tmp" for deletion
"%TEMP%\is-KC42G.tmp\update_server.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup\_setup64.tmp" for deletion
"%TEMP%\is-KC42G.tmp\update_server.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup\_shfoldr.dll" for deletion
"%TEMP%\is-KC42G.tmp\update_server.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup" for deletion
"%TEMP%\is-KC42G.tmp\update_server.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp" for deletion
"%PROGRAMFILES%\(x86)\hicloud\update_server\ModProperties.exe" marked "C:\Program Files (x86)\hicloud\update_server\tmp.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"EzvizStudioSetups_v2.0_.exe" opened "%TEMP%\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp" with delete access
"EzvizStudioSetups_v2.0_.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-MKA08.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-VAP33.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-ERKOJ.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-QO8HC.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-6KBU1.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-O62FG.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-IEVHC.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-K21J3.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-027KR.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-P8ORV.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-UBLMO.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-D4FGV.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-3G8PA.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-377T7.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-G8FJV.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-T1QM0.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-FOGHF.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-EQUGV.tmp" with delete access
"EzvizStudioSetups_v2.0_.tmp" opened "C:\Program Files (x86)\Ezviz Studio\is-CQFTO.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"EzvizStudioSetups_v2.0_.tmp" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"EzvizStudioSetups_v2.0_.tmp" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"startUp.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"startUp.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
-
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"startUp.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"EzvizStudioSetups_v2.0_.exe" wrote bytes "711171017a3b7001ab8b02007f950200fc8c0200729602006cc805001ecd6d017d266d01" to virtual address "0x75BF07E4" (part of module "USER32.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b8b0150174ffe0" to virtual address "0x74B436B4" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d83ab474" to virtual address "0x74B50274" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "c0df2a771cf92977ccf829770d642b7700000000c011bc7600000000fc3ebc7600000000e013bc76000000009457d07425e02a77c6e02a7700000000bc6acf7400000000cf31bc76000000009319d074000000002c32bc7600000000" to virtual address "0x77251000" (part of module "NSI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b436b474" to virtual address "0x74B5025C" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d83ab474" to virtual address "0x74B501FC" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "60120174" to virtual address "0x764FE324" (part of module "WININET.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b840130174ffe0" to virtual address "0x74B43AD8" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d83a0200" to virtual address "0x74B44E38" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d83a0200" to virtual address "0x74B44D78" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d83ab474" to virtual address "0x74B50258" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b436b474" to virtual address "0x74B50278" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b4360200" to virtual address "0x74B44EA4" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b436b474" to virtual address "0x74B501E4" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d055e7746473f0740000000051c1547694985476ee9c547675dc5676273e56760fb35a76000000008548bc766987bc760f77be76d917bc76ead7bd76a934bc76f811bc762014bc760c11bc76f516bc765414bc76ff10bc763214bc7600000000" to virtual address "0x74941000" (part of module "SHFOLDER.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "d83ab474" to virtual address "0x74B501E0" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b436b474" to virtual address "0x74B50200" (part of module "SSPICLI.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b830120174ffe0" to virtual address "0x75FE1368" (part of module "WS2_32.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "711171017a3b7001ab8b02007f950200fc8c0200729602006cc805001ecd6d017d266d01" to virtual address "0x75BF07E4" (part of module "USER32.DLL")
"EzvizStudioSetups_v2.0_.tmp" wrote bytes "b4360200" to virtual address "0x74B44D68" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"update_server.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Queries volume information
- details
-
"EzvizStudioSetups_v2.0_.tmp" queries volume information of "C:\Windows\SysWOW64\netutils.dll" at 00013045-00000388-00000046-146403066494
"EzvizStudioSetups_v2.0_.tmp" queries volume information of "C:\Users\%USERNAME%\Desktop\Ezviz Studio.lnk" at 00013045-00000388-00000046-146458623520
"EzvizStudioSetups_v2.0_.tmp" queries volume information of "C:\Users\%USERNAME%\Desktop\Ezviz Studio.lnk" at 00013045-00000388-00000046-146802855586
"EzvizStudioSetups_v2.0_.tmp" queries volume information of "C:\Users\%USERNAME%\Desktop\Ezviz Studio.lnk" at 00013045-00000388-00000046-146805053017
"EzvizStudioSetups_v2.0_.tmp" queries volume information of "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap" at 00013045-00000388-00000046-148463942407
"EzvizStudioSetups_v2.0_.tmp" queries volume information of "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap" at 00013045-00000388-00000046-148466208668
"update_server.tmp" queries volume information of "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\hicloud\update_server\Uninstall update_server.lnk" at 00018888-00003328-00000046-227927824326
"update_server.tmp" queries volume information of "C:\Windows\SysWOW64\netutils.dll" at 00018888-00003328-00000046-228334370781
"SPUpDateServer.exe" queries volume information of "C:\Windows\SysWOW64\rsaenh.dll" at 00021460-00002764-00000046-342383212435
"SPUpDateServer.exe" queries volume information of "C:\ProgramData\hik\log\update_server\default.log" at 00021460-00002764-00000046-342563513039
"SPUpDateServer.exe" queries volume information of "C:\ProgramData\hik\log\update_server\HPP.log" at 00021460-00002764-00000046-342570936049
"SPUpDateServer.exe" queries volume information of "C:\ProgramData\hik\log\update_server\SPUPDATE.log" at 00021460-00002764-00000046-342578291228
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-348057594939
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-353461799532
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-359050137574
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-364699715662
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-370306261302
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-375842678753
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-381442482374
"SPUpDateServer.exe" queries volume information of unknown location at 00021460-00002764-00000046-387119057851 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{49DF99D3-BC81-439A-8F40-A0529159024C}_IS1")
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{49DF99D3-BC81-439A-8F40-A0529159024C}_IS1")
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EZVIZSTUDIOSETUPS_V2.0_.TMP")
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EZVIZSTUDIOSETUPS_V2.0_.TMP")
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EZVIZPROTECT.EXE")
"EzvizStudioSetups_v2.0_.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EZVIZPROTECT.EXE")
"update_server.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1D08522D-308D-4615-AEA9-44021FD7445A}_IS1")
"update_server.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1D08522D-308D-4615-AEA9-44021FD7445A}_IS1") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/65 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts server
- details
- "54.156.168.153:443"
- source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"EzvizStudioSetups_v2.0_.exe" created file "%TEMP%\is-MKA08.tmp\EzvizStudioSetups_v2.0_.tmp"
"EzvizStudioSetups_v2.0_.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-J7UG2.tmp\_isetup\_RegDLL.tmp"
"EzvizStudioSetups_v2.0_.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-J7UG2.tmp\_isetup\_setup64.tmp"
"EzvizStudioSetups_v2.0_.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-J7UG2.tmp\_isetup\_shfoldr.dll"
"EzvizStudioSetups_v2.0_.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-J7UG2.tmp\ISTask.dll"
"update_server.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-KC42G.tmp\update_server.tmp"
"update_server.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup\_RegDLL.tmp"
"update_server.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup\_setup64.tmp"
"update_server.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\_isetup\_shfoldr.dll"
"update_server.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-7LVM7.tmp\ISTask.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\ys_update_server"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\SPUpDateServer_StartUp_Mutex"
"\Sessions\1\BaseNamedObjects\SPUpDateServer_Mutex" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"EzvizStudioSetups_v2.0_.tmp" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"EzvizStudioSetups_v2.0_.tmp" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"EzvizStudioSetups_v2.0_.tmp" touched "UsersFiles" (Path: "HKCU\WOW6432NODE\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"EzvizStudioSetups_v2.0_.tmp" touched "delegate folder that appears in Users Files Folder" (Path: "HKCU\WOW6432NODE\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SHELLFOLDER")
"EzvizStudioSetups_v2.0_.tmp" touched "Shell File System Folder" (Path: "HKCU\WOW6432NODE\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\INPROCSERVER32")
"EzvizStudioSetups_v2.0_.tmp" touched "Task Bar Communication" (Path: "HKCU\WOW6432NODE\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
"EzvizStudioSetups_v2.0_.tmp" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"EzvizStudioSetups_v2.0_.tmp" touched "Security Manager" (Path: "HKCU\WOW6432NODE\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"EzvizStudioSetups_v2.0_.tmp" searching for class "Shell_TrayWnd"
"update_server.tmp" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "EzvizStudioSetups_v2.0_.tmp" with commandline "/SL5="$70244
40298272
63488
C:\EzvizStudioSetups_v2.0_.exe"" (Show Process)
Spawned process "NpfDetectApp.exe" with commandline "/q" (Show Process)
Spawned process "update_server.exe" with commandline "/VERYSILENT" (Show Process)
Spawned process "update_server.tmp" with commandline "/SL5="$70194
2352971
53760
%PROGRAMFILES%\(x86)\Ezviz Studio\upd ..." (Show Process), Spawned process "ModProperties.exe" with commandline "update_server" (Show Process), Spawned process "startUp.exe" (Show Process), Spawned process "SPUpDateServer.exe" (Show Process), Spawned process "EzvizProtect.exe" (Show Process), Spawned process "EzvizProtect.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "EzvizStudioSetups_v2.0_.tmp" with commandline "/SL5="$70244
40298272
63488
C:\EzvizStudioSetups_v2.0_.exe"" (Show Process)
Spawned process "NpfDetectApp.exe" with commandline "/q" (Show Process)
Spawned process "update_server.exe" with commandline "/VERYSILENT" (Show Process)
Spawned process "update_server.tmp" with commandline "/SL5="$70194
2352971
53760
%PROGRAMFILES%\(x86)\Ezviz Studio\upd ..." (Show Process), Spawned process "ModProperties.exe" with commandline "update_server" (Show Process), Spawned process "startUp.exe" (Show Process), Spawned process "SPUpDateServer.exe" (Show Process), Spawned process "EzvizProtect.exe" (Show Process), Spawned process "EzvizProtect.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts server
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"EzvizStudioSetups_v2.0_.exe" connecting to "\ThemeApiPort"
"EzvizStudioSetups_v2.0_.tmp" connecting to "\ThemeApiPort"
"update_server.exe" connecting to "\ThemeApiPort"
"update_server.tmp" connecting to "\ThemeApiPort"
"startUp.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"EzvizStudioSetups_v2.0_.exe" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"EzvizStudioSetups_v2.0_.exe" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"EzvizStudioSetups_v2.0_.exe" touched file "C:\Windows\SysWOW64\netmsg.dll"
"EzvizStudioSetups_v2.0_.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"EzvizStudioSetups_v2.0_.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\Fonts\StaticCache.dat"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\SysWOW64\netmsg.dll"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\SysWOW64\shfolder.dll"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Windows\SysWOW64\imageres.dll"
"EzvizStudioSetups_v2.0_.tmp" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"EzvizStudioSetups_v2.0_.tmp" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2"
Heuristic match: "YrCR(z.MW"
Heuristic match: "Osu[XT.fr"
Heuristic match: "aTQ>e0.Fi"
Heuristic match: "6
*,7.ck"
Heuristic match: "1,![]%.Ad"
Heuristic match: "W]x'ry .Tt"
Heuristic match: "-Q3q8;7.gb"
Heuristic match: "i>@!Q4s.Im"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "www.entrust.net/legal-terms1907"
Pattern match: "http://ocsp.entrust.net05"
Pattern match: "http://aia.entrust.net/ovcs1-chain256.cer01"
Pattern match: "http://crl.entrust.net/ovcs1.crl0L"
Pattern match: "http://www.entrust.net/rpa"
Pattern match: "http://ocsp.entrust.net00"
Pattern match: "http://crl.entrust.net/g2ca.crl0"
Pattern match: "http://www.entrust.net/rpa0"
Pattern match: "http://www.ezvizlife.com/"
Pattern match: "https://api.ezvizlife.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "SPUpDateServer.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"EzvizStudioSetups_v2.0_.tmp" opened "\Device\KsecDD"
"update_server.tmp" opened "\Device\KsecDD"
"startUp.exe" opened "\Device\KsecDD"
"SPUpDateServer.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
File Details
EzvizStudioSetups(v2.0).exe
- Filename
- EzvizStudioSetups(v2.0).exe
- Size
- 39MiB (40556184 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 919608e9d3704f66c2da406a3f4cc8e6343cfd6b0b80a1974dfba907d865cb58
- MD5
- a3bc584ccae3a965faa9033060136bea
- SHA1
- 0be3dbda6b53efba6553a6a7915a3bc217ff5402
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 10 processes in total (System Resource Monitor).
-
EzvizStudioSetups_v2.0_.exe
(PID: 2656)
-
EzvizStudioSetups_v2.0_.tmp
/SL5="$70244,40298272,63488,C:\EzvizStudioSetups_v2.0_.exe"
(PID: 388)
- NpfDetectApp.exe /q (PID: 3064)
-
update_server.exe
/VERYSILENT
(PID: 2960)
-
update_server.tmp
/SL5="$70194,2352971,53760,%PROGRAMFILES%\(x86)\Ezviz Studio\update_server.exe" /VERYSILENT
(PID: 3328)
- ModProperties.exe update_server (PID: 3932)
-
startUp.exe
(PID: 3584)
- SPUpDateServer.exe (PID: 2764)
-
update_server.tmp
/SL5="$70194,2352971,53760,%PROGRAMFILES%\(x86)\Ezviz Studio\update_server.exe" /VERYSILENT
(PID: 3328)
- EzvizProtect.exe (PID: 2176)
- EzvizProtect.exe (PID: 936)
-
EzvizStudioSetups_v2.0_.tmp
/SL5="$70244,40298272,63488,C:\EzvizStudioSetups_v2.0_.exe"
(PID: 388)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
54.156.168.153 |
443
TCP |
spupdateserver.exe PID: 2764 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Added comment to Virus Total report
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-11" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report