Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
8Analysis
-
max time kernel
243s -
max time network
243s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Downloads3/139.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Downloads3/425895848735145103942784.doc
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Downloads3/IgqbCYuTw.bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Downloads3/SetupFille-v48.09.45.bin.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Downloads3/finfisher.1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Downloads3/speakoniasetup-1.0.bin.exe
Resource
win10v20201028
General
-
Target
Downloads3/speakoniasetup-1.0.bin.exe
-
Size
2.6MB
-
MD5
4e6aece633baf0155331ac4e5e537fef
-
SHA1
daad322125235cce7742a6f95a428922843e7a6b
-
SHA256
20652fdf3561c2f840597cf5a610ad4c581f2e41240e58caf9da8c3ce216d080
-
SHA512
790b08a355a9e389210829e50801e6b5bf59ab80900dfafc0919ea8104b01a9d8650d9b5e045bbedc4f1f5e30f0c5566274838ef83bf4e318362ffb61f9abccd
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
INS5360.tmpspchapi.exetv_enua.exepid process 2312 INS5360.tmp 2452 spchapi.exe 2164 tv_enua.exe -
Modifies Installed Components in the registry 2 TTPs
-
Loads dropped DLL 5 IoCs
Processes:
spchapi.exetv_enua.exeregsvr32.exeregsvr32.exepid process 2452 spchapi.exe 2164 tv_enua.exe 3704 regsvr32.exe 3704 regsvr32.exe 3860 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tv_enua.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce tv_enua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" tv_enua.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 3 IoCs
Processes:
tv_enua.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SET9CA3.tmp tv_enua.exe File created C:\Windows\SysWOW64\SET9CA3.tmp tv_enua.exe File opened for modification C:\Windows\SysWOW64\msvcp50.dll tv_enua.exe -
Drops file in Program Files directory 10 IoCs
Processes:
INS5360.tmpdescription ioc process File created C:\Program Files (x86)\CFS-Technologies\Speakonia\is-KUQIM.tmp INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\is-MF7N9.tmp INS5360.tmp File opened for modification C:\Program Files (x86)\CFS-Technologies\Speakonia\unins000.dat INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\unins000.dat INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\is-2UR5T.tmp INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\is-PABG9.tmp INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\is-SRHQL.tmp INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\is-54TCO.tmp INS5360.tmp File created C:\Program Files (x86)\CFS-Technologies\Speakonia\htmlhelp\is-6NSDF.tmp INS5360.tmp File opened for modification C:\Program Files (x86)\CFS-Technologies\Speakonia\unins000.exe INS5360.tmp -
Drops file in Windows directory 64 IoCs
Processes:
spchapi.exetv_enua.exedescription ioc process File opened for modification C:\Windows\speech\SET97F5.tmp spchapi.exe File created C:\Windows\speech\SET97F5.tmp spchapi.exe File opened for modification C:\Windows\speech\Vdict.dll spchapi.exe File opened for modification C:\Windows\fonts\SET9C92.tmp tv_enua.exe File opened for modification C:\Windows\speech\SET97C0.tmp spchapi.exe File opened for modification C:\Windows\speech\SET97E2.tmp spchapi.exe File created C:\Windows\speech\SET97E4.tmp spchapi.exe File opened for modification C:\Windows\speech\spchtel.dll spchapi.exe File opened for modification C:\Windows\speech\Xvoice.dll spchapi.exe File opened for modification C:\Windows\speech\SET97F7.tmp spchapi.exe File opened for modification C:\Windows\INF\spchapi.inf spchapi.exe File opened for modification C:\Windows\speech\VText.dll spchapi.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp tv_enua.exe File opened for modification C:\Windows\lhsp\tv\tv_enua.dll tv_enua.exe File created C:\Windows\fonts\SET9C92.tmp tv_enua.exe File opened for modification C:\Windows\fonts\andmoipa.ttf tv_enua.exe File opened for modification C:\Windows\speech\SET97AE.tmp spchapi.exe File opened for modification C:\Windows\speech\XTel.Dll spchapi.exe File opened for modification C:\Windows\speech\WrapSAPI.dll spchapi.exe File created C:\Windows\speech\SET97F6.tmp spchapi.exe File opened for modification C:\Windows\speech\SET97F8.tmp spchapi.exe File opened for modification C:\Windows\lhsp\tv\SET9C8F.tmp tv_enua.exe File opened for modification C:\Windows\lhsp\help\SET9C91.tmp tv_enua.exe File created C:\Windows\speech\SET97BE.tmp spchapi.exe File created C:\Windows\speech\SET97E1.tmp spchapi.exe File opened for modification C:\Windows\speech\SET97F6.tmp spchapi.exe File opened for modification C:\Windows\speech\Xcommand.dll spchapi.exe File opened for modification C:\Windows\INF\SET981A.tmp spchapi.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll tv_enua.exe File created C:\Windows\speech\SET97BF.tmp spchapi.exe File opened for modification C:\Windows\speech\vcauto.tlb spchapi.exe File opened for modification C:\Windows\speech\vcmshl.dll spchapi.exe File created C:\Windows\speech\SET97F9.tmp spchapi.exe File created C:\Windows\lhsp\help\SET9C91.tmp tv_enua.exe File opened for modification C:\Windows\speech\SET97AD.tmp spchapi.exe File opened for modification C:\Windows\speech\speech.dll spchapi.exe File opened for modification C:\Windows\speech\SET97E5.tmp spchapi.exe File opened for modification C:\Windows\speech\vcmd.exe spchapi.exe File created C:\Windows\speech\SET97E5.tmp spchapi.exe File created C:\Windows\INF\SET981A.tmp spchapi.exe File created C:\Windows\speech\~TMP4352~.TMP spchapi.exe File opened for modification C:\Windows\speech\SET97F9.tmp spchapi.exe File created C:\Windows\INF\SET9CA2.tmp tv_enua.exe File opened for modification C:\Windows\speech\SET97BE.tmp spchapi.exe File opened for modification C:\Windows\speech\SET97E4.tmp spchapi.exe File created C:\Windows\speech\SET97F7.tmp spchapi.exe File created C:\Windows\speech\SET97AD.tmp spchapi.exe File opened for modification C:\Windows\speech\speech.hlp spchapi.exe File opened for modification C:\Windows\speech\SET97E3.tmp spchapi.exe File opened for modification C:\Windows\speech\SET97E1.tmp spchapi.exe File created C:\Windows\speech\SET97E2.tmp spchapi.exe File opened for modification C:\Windows\speech\speech.cnt spchapi.exe File opened for modification C:\Windows\speech\Xlisten.dll spchapi.exe File created C:\Windows\lhsp\tv\SET9C8F.tmp tv_enua.exe File created C:\Windows\speech\SET97AE.tmp spchapi.exe File created C:\Windows\speech\SET97C0.tmp spchapi.exe File opened for modification C:\Windows\speech\vtxtauto.tlb spchapi.exe File opened for modification C:\Windows\lhsp\tv\SET9C90.tmp tv_enua.exe File created C:\Windows\lhsp\tv\SET9C90.tmp tv_enua.exe File opened for modification C:\Windows\INF\SET9CA2.tmp tv_enua.exe File opened for modification C:\Windows\INF\tv_enua.inf tv_enua.exe File opened for modification C:\Windows\speech\SET97BF.tmp spchapi.exe File created C:\Windows\speech\SET97E3.tmp spchapi.exe File created C:\Windows\speech\SET97F8.tmp spchapi.exe -
Modifies registry class 993 IoCs
Processes:
spchapi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3613D9F-E26E-11d0-8FAC-08002BE4E62A}\InprocServer32 spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A26D7620-6FA0-11ce-A166-00AA004CD65C}\ProgID spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9A5-DA1A-11CD-B3CA-00AA0047BA4F}\ = "ISRResBasicW" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{238004E1-F0C4-11d1-BED9-006008317CE8}\ProxyStubClsid32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9A7-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A84EA1-6E51-11D0-9BC2-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A08-459B-11d1-BE77-006008317CE8}\InprocServer32\ThreadingModel = "Apartment" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{090CD9AA-DA1A-11CD-B3CA-00AA0047BA4F}\InprocServer32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC4-67D5-11cf-9B8B-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A08-459B-11d1-BE77-006008317CE8}\ = "Spelling Control" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A09-459B-11d1-BE77-006008317CE8}\InprocServer32 spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05EB6C6A-DBAB-11CD-B3CA-00AA0047BA4F} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A02C2CA2-AE50-11cf-833A-00AA00A21A29}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8763AFD1-7ADE-11d1-BEA7-006008317CE8}\ProxyStubClsid32 spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\TypeLib spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC9E740F-6058-11D1-8C66-0060081841DE}\Version spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB96B400-C743-11cd-80E5-00AA003E4B50}\InprocServer32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B7A180-E093-11cd-A166-00AA004CD65C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9AB-DA1A-11CD-B3CA-00AA0047BA4F} spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9AD-DA1A-11CD-B3CA-00AA0047BA4F} spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A03-459B-11d1-BE77-006008317CE8} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60462311-3373-11D1-8C43-0060081841DE}\1.0\0\win32\ = "C:\\Windows\\speech\\Xcommand.dll" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF2C7A52-78F9-11ce-B762-00AA004CD65C} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9BD3860-44DB-101B-90A8-00AA003E4B50}\ = "ISRCentralW" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05EB6C62-DBAB-11CD-B3CA-00AA0047BA4F} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC5-67D5-11cf-9B8B-08005AFC3A41}\ = "IVDctAttributesW" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A06-459B-11d1-BE77-006008317CE8} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD3A2430-E090-11cd-A166-00AA004CD65C}\ = "IVMsgNotifySinkW" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05EB6C63-DBAB-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC5-67D5-11cf-9B8B-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A02C2CA0-AE50-11cf-833A-00AA00A21A29}\ProxyStubClsid32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F26B9C2-DB31-11CD-B3CA-00AA0047BA4F}\ = "ISRCentralA" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6E56341-B3EA-11d1-AFA5-0000F81E880D}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD7C2320-3D6D-11b9-C000-FED6CBA3B1A9} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66523042-35FE-11D1-8C4D-0060081841DE}\ToolboxBitmap32\ = "C:\\Windows\\speech\\Xcommand.dll,1" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60462311-3373-11D1-8C43-0060081841DE}\1.0\ = "Microsoft Voice Commands" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\Control spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32C35401-D04F-11d0-99B3-00AA004CD65C}\InprocServer32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FC9E7401-6058-11D1-8C66-0060081841DE}\ spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8953F1A0-7E80-11cf-8D15-00A0C9034A7E}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2398E32F-5C6E-11D1-8C65-0060081841DE}\InprocServer32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B445335-E39F-11d1-BED7-006008317CE8}\ = "ISpchErrorW" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F546B340-C743-11cd-80E5-00AA003E4B50}\ProxyStubClsid32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D62B3A1-6893-11cf-9B8B-08005AFC3A41}\ = "IVDctTextA" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E02D16C0-C743-11cd-80E5-00AA003E4B50}\InprocServer32\ThreadingModel = "Apartment" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4623720-E4B9-11cf-8D56-00A0C9034A7E}\ = "Audio Destination to File Object" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35522CA0-67CE-11cf-9B8B-08005AFC3A41}\ = "Voice Dictation Manager" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9AE-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D59DED2-E367-11d1-BED7-006008317CE8}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC8-67D5-11cf-9B8B-08005AFC3A41} spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2398E321-5C6E-11D1-8C65-0060081841DE}\1.0\0 spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{554667BB-7213-11cf-B210-00AA00A215ED}\InprocServer32 spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF2C7A51-78F9-11ce-B762-00AA004CD65C}\1.0\409\win32\ = "C:\\Windows\\speech\\vtxtauto.tlb" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9A6-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{599F77E1-E42E-11d1-BED8-006008317CE8} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A02C2CA3-AE50-11cf-833A-00AA00A21A29}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05EB6C64-DBAB-11CD-B3CA-00AA0047BA4F} spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{238004E3-F0C4-11d1-BED9-006008317CE8} spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4023720-E4B9-11cf-8D56-00A0C9034A7E}\InprocServer32\ = "C:\\Windows\\speech\\Speech.dll" spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{582C2191-4016-11D1-8C55-0060081841DE}\ToolboxBitmap32\ = "C:\\Windows\\speech\\Vdict.dll,1" spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Speech.VoiceCommand\Clsid spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E3D9D1F-0C63-11D1-8BFB-0060081841DE}\MiscStatus spchapi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2398E32F-5C6E-11D1-8C65-0060081841DE}\MiscStatus spchapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F546B340-C743-11cd-80E5-00AA003E4B50}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}" spchapi.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
speakoniasetup-1.0.bin.exeINS5360.tmpspchapi.exetv_enua.exedescription pid process target process PID 648 wrote to memory of 2312 648 speakoniasetup-1.0.bin.exe INS5360.tmp PID 648 wrote to memory of 2312 648 speakoniasetup-1.0.bin.exe INS5360.tmp PID 648 wrote to memory of 2312 648 speakoniasetup-1.0.bin.exe INS5360.tmp PID 2312 wrote to memory of 2452 2312 INS5360.tmp spchapi.exe PID 2312 wrote to memory of 2452 2312 INS5360.tmp spchapi.exe PID 2312 wrote to memory of 2452 2312 INS5360.tmp spchapi.exe PID 2452 wrote to memory of 2132 2452 spchapi.exe grpconv.exe PID 2452 wrote to memory of 2132 2452 spchapi.exe grpconv.exe PID 2452 wrote to memory of 2132 2452 spchapi.exe grpconv.exe PID 2312 wrote to memory of 2164 2312 INS5360.tmp tv_enua.exe PID 2312 wrote to memory of 2164 2312 INS5360.tmp tv_enua.exe PID 2312 wrote to memory of 2164 2312 INS5360.tmp tv_enua.exe PID 2164 wrote to memory of 3704 2164 tv_enua.exe regsvr32.exe PID 2164 wrote to memory of 3704 2164 tv_enua.exe regsvr32.exe PID 2164 wrote to memory of 3704 2164 tv_enua.exe regsvr32.exe PID 2164 wrote to memory of 3860 2164 tv_enua.exe regsvr32.exe PID 2164 wrote to memory of 3860 2164 tv_enua.exe regsvr32.exe PID 2164 wrote to memory of 3860 2164 tv_enua.exe regsvr32.exe PID 2164 wrote to memory of 3964 2164 tv_enua.exe grpconv.exe PID 2164 wrote to memory of 3964 2164 tv_enua.exe grpconv.exe PID 2164 wrote to memory of 3964 2164 tv_enua.exe grpconv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads3\speakoniasetup-1.0.bin.exe"C:\Users\Admin\AppData\Local\Temp\Downloads3\speakoniasetup-1.0.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\INS5360.tmpC:\Users\Admin\AppData\Local\Temp\INS5360.tmp /SL3 $3011A C:\Users\Admin\AppData\Local\Temp\Downloads3\speakoniasetup-1.0.bin.exe 2707411 2710888 660482⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exe"C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exe" /Q3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:2132
-
C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exe"C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exe" /Q3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll4⤵
- Loads dropped DLL
PID:3704 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll4⤵
- Loads dropped DLL
PID:3860 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:3964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exeMD5
d421da9b6a100bf58c7c6d585c73ed4c
SHA179521256aab1fc5d01a661ed0cdff45a88ab2ace
SHA2568955ee03217bc2539e2f80e58f51d30aa97e7512d96592f098133c8036e363dd
SHA512ca0b75d1a07b125cf3b774483e098a9095d18ee8c1a277a2ff6aeeeef1e1d74a5e55855dbf7f13cc96a82423203ea86336372d48d483dc600d3ead38fe746c60
-
C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exeMD5
d421da9b6a100bf58c7c6d585c73ed4c
SHA179521256aab1fc5d01a661ed0cdff45a88ab2ace
SHA2568955ee03217bc2539e2f80e58f51d30aa97e7512d96592f098133c8036e363dd
SHA512ca0b75d1a07b125cf3b774483e098a9095d18ee8c1a277a2ff6aeeeef1e1d74a5e55855dbf7f13cc96a82423203ea86336372d48d483dc600d3ead38fe746c60
-
C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exeMD5
3f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exeMD5
3f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
C:\Users\Admin\AppData\Local\Temp\INS5360.tmpMD5
e832d7ee12db2e1f5b6a8ce6957bc8da
SHA15220371c70360cb6bf50bed9074ac817f9821a7b
SHA256da1cbb483eaac174b231b553d8c6f006b9a6ddbfc734d634fc4a796535078e1e
SHA512dd0fba01468250e884835f35c788f05a8f5d1d80d96b6be1dc4173c099352df9e5c647e6381a9f2b83ecb63f2cb6878078d98b196a82b55cf937fd751ce064dc
-
C:\Users\Admin\AppData\Local\Temp\INS5360.tmpMD5
e832d7ee12db2e1f5b6a8ce6957bc8da
SHA15220371c70360cb6bf50bed9074ac817f9821a7b
SHA256da1cbb483eaac174b231b553d8c6f006b9a6ddbfc734d634fc4a796535078e1e
SHA512dd0fba01468250e884835f35c788f05a8f5d1d80d96b6be1dc4173c099352df9e5c647e6381a9f2b83ecb63f2cb6878078d98b196a82b55cf937fd751ce064dc
-
C:\Windows\SysWOW64\MSVCP50.dllMD5
497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
C:\Windows\lhsp\tv\tv_enua.dllMD5
ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
C:\Windows\lhsp\tv\tvenuax.dllMD5
1587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLLMD5
81e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLLMD5
81e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
\Windows\SysWOW64\msvcp50.dllMD5
497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
\Windows\lhsp\tv\tv_enua.dllMD5
ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
\Windows\lhsp\tv\tvenuax.dllMD5
1587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
memory/2132-9-0x0000000000000000-mapping.dmp
-
memory/2164-10-0x0000000000000000-mapping.dmp
-
memory/2312-2-0x0000000000000000-mapping.dmp
-
memory/2452-5-0x0000000000000000-mapping.dmp
-
memory/3704-14-0x0000000000000000-mapping.dmp
-
memory/3860-19-0x0000000000000000-mapping.dmp
-
memory/3964-22-0x0000000000000000-mapping.dmp