661d12b5e6cb61f54086d48b865ef5989ec00379f52b92fdb68b2ef59eddef43

Analysis

max time kernel
29s
max time network
21s
platform
windows10_x64
resource
win10v20201028
submitted
01-12-2020 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads3/speakoniasetup-1.0.bin.exe
Size

2.6MB
MD5

4e6aece633baf0155331ac4e5e537fef
SHA1

daad322125235cce7742a6f95a428922843e7a6b
SHA256

20652fdf3561c2f840597cf5a610ad4c581f2e41240e58caf9da8c3ce216d080
SHA512

790b08a355a9e389210829e50801e6b5bf59ab80900dfafc0919ea8104b01a9d8650d9b5e045bbedc4f1f5e30f0c5566274838ef83bf4e318362ffb61f9abccd

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

INS7E8C.tmpspchapi.exetv_enua.exe

pid process

584 INS7E8C.tmp
1800 spchapi.exe
916 tv_enua.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 5 IoCs

Processes:

spchapi.exetv_enua.exeregsvr32.exeregsvr32.exe

pid process

1800 spchapi.exe
916 tv_enua.exe
2252 regsvr32.exe
2252 regsvr32.exe
2100 regsvr32.exe

pid	process
584	INS7E8C.tmp
1800	spchapi.exe
916	tv_enua.exe

pid	process
1800	spchapi.exe
916	tv_enua.exe
2252	regsvr32.exe
2252	regsvr32.exe
2100	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tv_enua.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tv_enua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

Processes:

tv_enua.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\SETB745.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SETB745.tmp	tv_enua.exe

Drops file in Program Files directory 10 IoCs

Processes:

INS7E8C.tmp

description	ioc	process
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\htmlhelp\is-VE8K4.tmp	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\is-UTJVS.tmp	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\is-QO151.tmp	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\is-9V1CH.tmp	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\is-F158B.tmp	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\is-25E2M.tmp	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\is-RIDIM.tmp	INS7E8C.tmp
File opened for modification	C:\Program Files (x86)\CFS-Technologies\Speakonia\unins000.exe	INS7E8C.tmp
File opened for modification	C:\Program Files (x86)\CFS-Technologies\Speakonia\unins000.dat	INS7E8C.tmp
File created	C:\Program Files (x86)\CFS-Technologies\Speakonia\unins000.dat	INS7E8C.tmp

Drops file in Windows directory 64 IoCs

Processes:

spchapi.exetv_enua.exe

description	ioc	process
File opened for modification	C:\Windows\speech\vcmshl.dll	spchapi.exe
File opened for modification	C:\Windows\speech\SETB40B.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\XTel.Dll	spchapi.exe
File created	C:\Windows\INF\SETB422.tmp	spchapi.exe
File created	C:\Windows\lhsp\help\SETB732.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\SETB744.tmp	tv_enua.exe
File created	C:\Windows\speech\SETB3E4.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\vcmd.exe	spchapi.exe
File created	C:\Windows\speech\SETB40F.tmp	spchapi.exe
File created	C:\Windows\speech\SETB421.tmp	spchapi.exe
File opened for modification	C:\Windows\lhsp\tv\SETB731.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\help\SETB732.tmp	tv_enua.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\speech\SETB3F9.tmp	spchapi.exe
File created	C:\Windows\speech\SETB40B.tmp	spchapi.exe
File created	C:\Windows\speech\SETB411.tmp	spchapi.exe
File created	C:\Windows\INF\SETB744.tmp	tv_enua.exe
File created	C:\Windows\speech\SETB3F8.tmp	spchapi.exe
File created	C:\Windows\speech\SETB3FA.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB40D.tmp	spchapi.exe
File created	C:\Windows\speech\SETB410.tmp	spchapi.exe
File created	C:\Windows\lhsp\tv\SETB731.tmp	tv_enua.exe
File opened for modification	C:\Windows\speech\vtxtauto.tlb	spchapi.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\speech\speech.cnt	spchapi.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\speech\SETB3E6.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\VText.dll	spchapi.exe
File opened for modification	C:\Windows\speech\SETB3F8.tmp	spchapi.exe
File created	C:\Windows\speech\SETB40D.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\Xvoice.dll	spchapi.exe
File opened for modification	C:\Windows\speech\WrapSAPI.dll	spchapi.exe
File opened for modification	C:\Windows\speech\speech.dll	spchapi.exe
File created	C:\Windows\speech\SETB3E6.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB3E4.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB3E5.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB3FA.tmp	spchapi.exe
File created	C:\Windows\speech\SETB40C.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB410.tmp	spchapi.exe
File created	C:\Windows\speech\SETB3E5.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\spchtel.dll	spchapi.exe
File opened for modification	C:\Windows\speech\speech.hlp	spchapi.exe
File opened for modification	C:\Windows\speech\Vdict.dll	spchapi.exe
File created	C:\Windows\lhsp\tv\SETB720.tmp	tv_enua.exe
File created	C:\Windows\fonts\SETB743.tmp	tv_enua.exe
File opened for modification	C:\Windows\speech\vcauto.tlb	spchapi.exe
File created	C:\Windows\speech\SETB40E.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\Xcommand.dll	spchapi.exe
File opened for modification	C:\Windows\INF\SETB422.tmp	spchapi.exe
File opened for modification	C:\Windows\fonts\SETB743.tmp	tv_enua.exe
File created	C:\Windows\speech\~TMP4352~.TMP	spchapi.exe
File created	C:\Windows\speech\SETB3F9.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB40C.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB40E.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB421.tmp	spchapi.exe
File opened for modification	C:\Windows\INF\spchapi.inf	spchapi.exe
File opened for modification	C:\Windows\lhsp\tv\SETB720.tmp	tv_enua.exe
File opened for modification	C:\Windows\speech\SETB3E7.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\Xlisten.dll	spchapi.exe
File opened for modification	C:\Windows\speech\SETB411.tmp	spchapi.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File created	C:\Windows\speech\SETB3E7.tmp	spchapi.exe
File opened for modification	C:\Windows\speech\SETB40F.tmp	spchapi.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe

Modifies registry class 993 IoCs

Processes:

spchapi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EFEEA350-CE5E-11CD-9D96-00AA002FC7C9}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8C3E160-C743-11CD-80E5-00AA003E4B50}	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9A6-DA1A-11CD-B3CA-00AA0047BA4F}\ = "ISRResMerge"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC5-67D5-11cf-9B8B-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E3D9D1F-0C63-11D1-8BFB-0060081841DE}\MiscStatus	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\TypeLib	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{746141E0-5543-11b9-C000-5611722E1D15}\ProxyStubClsid32	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFF5DF80-5544-11b9-C000-5611722E1D15}\ProxyStubClsid32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EEE78583-FE22-11D0-8BEF-0060081841DE}\1.0\ = "Microsoft Direct Text-to-Speech"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{582C2191-4016-11D1-8C55-0060081841DE}\MiscStatus\	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A26D7620-6FA0-11ce-A166-00AA004CD65C}\VersionIndependentProgID	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCFD7A60-604D-101B-9926-00AA003CFC2C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090CD9A7-DA1A-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC7-67D5-11cf-9B8B-08005AFC3A41}	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\ToolboxBitmap32	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{582C2191-4016-11D1-8C55-0060081841DE}\Insertable	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35522CA0-67CE-11cf-9B8B-08005AFC3A41}\LocalServer32\ = "C:\\Windows\\speech\\vcmd.exe"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68A33AA0-44CD-101B-90A8-00AA003E4B50}\ProxyStubClsid32	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC5-67D5-11cf-9B8B-08005AFC3A41}\ProxyStubClsid32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A01-459B-11d1-BE77-006008317CE8}\InprocServer32\ThreadingModel = "Apartment"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2EC5A8A5-E65B-11d0-8FAC-08002BE4E62A}	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A26D7623-6FA0-11ce-A166-00AA004CD65C}\ProxyStubClsid32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3CC0820-604D-101B-9926-00AA003CFC2C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{599F77E4-E42E-11d1-BED8-006008317CE8}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEE78591-FE22-11D0-8BEF-0060081841DE}\ = "DirectSS Class"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{582C2191-4016-11D1-8C55-0060081841DE}\MiscStatus	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A26D7623-6FA0-11ce-A166-00AA004CD65C}	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFF5DF80-5544-11b9-C000-5611722E1D15}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2C840E0-E092-11cd-A166-00AA004CD65C}	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F440FB4-CE01-11cf-B234-00AA00A215ED}\ = "IVCmdNotifySinkExW"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{238004E1-F0C4-11d1-BED9-006008317CE8}\ = "IVDctText2W"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A05-459B-11d1-BE77-006008317CE8}	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC9E740F-6058-11D1-8C66-0060081841DE}\Control\	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF2C7A51-78F9-11ce-B762-00AA004CD65C}\1.0\409\win32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF2C7A52-78F9-11ce-B762-00AA004CD65C}\LocalServer32\ = "C:\\Windows\\speech\\vcmd.exe"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A02C2CA1-AE50-11cf-833A-00AA00A21A29}\ProxyStubClsid32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A26D7620-6FA0-11ce-A166-00AA004CD65C}\VersionIndependentProgID\ = "Speech.VoiceCommand"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FF2C7A51-78F9-11ce-B762-00AA004CD65C}\1.0\HELPDIR\	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC0-67D5-11cf-9B8B-08005AFC3A41}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32C35401-D04F-11d0-99B3-00AA004CD65C}\InprocServer32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD3A2430-E090-11cd-A166-00AA004CD65C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89F70C30-8636-11ce-B763-00AA004CD65C}	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4023720-E4B9-11cf-8D56-00A0C9034A7E}\InprocServer32\ThreadingModel = "Apartment"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A26D7622-6FA0-11ce-A166-00AA004CD65C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speech.VoiceText.1\Clsid\ = "{FF2C7A52-78F9-11ce-B762-00AA004CD65C}"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88AD7DC5-67D5-11cf-9B8B-08005AFC3A41}\ = "IVDctAttributesW"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8953F1A0-7E80-11cf-8D15-00A0C9034A7E}\ = "IVDctGUI"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4023720-E4B9-11cf-8D56-00A0C9034A7E}\InprocServer32\ = "C:\\Windows\\speech\\Speech.dll"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4523720-E4B9-11cf-8D56-00A0C9034A7E}\InprocServer32\ = "C:\\Windows\\speech\\Speech.dll"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05EB6C60-DBAB-11CD-B3CA-00AA0047BA4F}\ProxyStubClsid32	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A84EA1-6E51-11D0-9BC2-08005AFC3A41}\ProxyStubClsid32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C7F3F20-8BAB-11d2-9432-00C04F8EF48F}\MiscStatus\ = "0"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEB2A680-5544-11b9-C000-5611722E1D15}\ = "IVCmdMenuSetA"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC06A220-C743-11cd-80E5-00AA003E4B50}\ProxyStubClsid32\ = "{B9BD3860-44DB-101B-90A8-00AA003E4B50}"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53961A07-459B-11d1-BE77-006008317CE8}	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2C840E0-E092-11cd-A166-00AA004CD65C}\ProxyStubClsid32\ = "{C63A2B30-5543-11b9-C000-5611722E1D15}"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E3D9D1F-0C63-11D1-8BFB-0060081841DE}\MiscStatus\	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B9BD3860-44DB-101B-90A8-00AA003E4B50}\InprocServer32\ = "C:\\Windows\\speech\\vcmshl.dll"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAC54F60-604D-101B-9926-00AA003CFC2C}\ = "IVCmdMenuW"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BCFB4C60-44DB-101B-90A8-00AA003E4B50}\ = "ISRDialogsW"	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC06A220-C743-11cd-80E5-00AA003E4B50}\ = "IAudioSource"	spchapi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4E3F8E0-6521-11d1-8C35-006097DF5D01}\ProxyStubClsid32	spchapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC9E740F-6058-11D1-8C66-0060081841DE}\Insertable\	spchapi.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

speakoniasetup-1.0.bin.exeINS7E8C.tmpspchapi.exetv_enua.exe

description	pid	process	target process
PID 980 wrote to memory of 584	980	speakoniasetup-1.0.bin.exe	INS7E8C.tmp
PID 980 wrote to memory of 584	980	speakoniasetup-1.0.bin.exe	INS7E8C.tmp
PID 980 wrote to memory of 584	980	speakoniasetup-1.0.bin.exe	INS7E8C.tmp
PID 584 wrote to memory of 1800	584	INS7E8C.tmp	spchapi.exe
PID 584 wrote to memory of 1800	584	INS7E8C.tmp	spchapi.exe
PID 584 wrote to memory of 1800	584	INS7E8C.tmp	spchapi.exe
PID 1800 wrote to memory of 296	1800	spchapi.exe	grpconv.exe
PID 1800 wrote to memory of 296	1800	spchapi.exe	grpconv.exe
PID 1800 wrote to memory of 296	1800	spchapi.exe	grpconv.exe
PID 584 wrote to memory of 916	584	INS7E8C.tmp	tv_enua.exe
PID 584 wrote to memory of 916	584	INS7E8C.tmp	tv_enua.exe
PID 584 wrote to memory of 916	584	INS7E8C.tmp	tv_enua.exe
PID 916 wrote to memory of 2252	916	tv_enua.exe	regsvr32.exe
PID 916 wrote to memory of 2252	916	tv_enua.exe	regsvr32.exe
PID 916 wrote to memory of 2252	916	tv_enua.exe	regsvr32.exe
PID 916 wrote to memory of 2100	916	tv_enua.exe	regsvr32.exe
PID 916 wrote to memory of 2100	916	tv_enua.exe	regsvr32.exe
PID 916 wrote to memory of 2100	916	tv_enua.exe	regsvr32.exe
PID 916 wrote to memory of 512	916	tv_enua.exe	grpconv.exe
PID 916 wrote to memory of 512	916	tv_enua.exe	grpconv.exe
PID 916 wrote to memory of 512	916	tv_enua.exe	grpconv.exe

C:\Users\Admin\AppData\Local\Temp\Downloads3\speakoniasetup-1.0.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads3\speakoniasetup-1.0.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\INS7E8C.tmp
C:\Users\Admin\AppData\Local\Temp\INS7E8C.tmp /SL3 $30122 C:\Users\Admin\AppData\Local\Temp\Downloads3\speakoniasetup-1.0.bin.exe 2707411 2710888 66048
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exe
"C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exe" /Q
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
4⤵
PID:296

C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exe
"C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exe" /Q
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
4⤵
- Loads dropped DLL
PID:2252

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
4⤵
- Loads dropped DLL
PID:2100

C:\Windows\SysWOW64\grpconv.exe
grpconv.exe -o
4⤵
PID:512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exe
MD5
d421da9b6a100bf58c7c6d585c73ed4c

SHA1
79521256aab1fc5d01a661ed0cdff45a88ab2ace

SHA256
8955ee03217bc2539e2f80e58f51d30aa97e7512d96592f098133c8036e363dd

SHA512
ca0b75d1a07b125cf3b774483e098a9095d18ee8c1a277a2ff6aeeeef1e1d74a5e55855dbf7f13cc96a82423203ea86336372d48d483dc600d3ead38fe746c60

Download Submit
C:\Program Files (x86)\CFS-Technologies\Speakonia\spchapi.exe
MD5
d421da9b6a100bf58c7c6d585c73ed4c

SHA1
79521256aab1fc5d01a661ed0cdff45a88ab2ace

SHA256
8955ee03217bc2539e2f80e58f51d30aa97e7512d96592f098133c8036e363dd

SHA512
ca0b75d1a07b125cf3b774483e098a9095d18ee8c1a277a2ff6aeeeef1e1d74a5e55855dbf7f13cc96a82423203ea86336372d48d483dc600d3ead38fe746c60

Download Submit
C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exe
MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Program Files (x86)\CFS-Technologies\Speakonia\tv_enua.exe
MD5
3f8f18c9c732151dcdd8e1d8fe655896

SHA1
222cc49201aa06313d4d35a62c5d494af49d1a56

SHA256
709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331

SHA512
398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS7E8C.tmp
MD5
e832d7ee12db2e1f5b6a8ce6957bc8da

SHA1
5220371c70360cb6bf50bed9074ac817f9821a7b

SHA256
da1cbb483eaac174b231b553d8c6f006b9a6ddbfc734d634fc4a796535078e1e

SHA512
dd0fba01468250e884835f35c788f05a8f5d1d80d96b6be1dc4173c099352df9e5c647e6381a9f2b83ecb63f2cb6878078d98b196a82b55cf937fd751ce064dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS7E8C.tmp
MD5
e832d7ee12db2e1f5b6a8ce6957bc8da

SHA1
5220371c70360cb6bf50bed9074ac817f9821a7b

SHA256
da1cbb483eaac174b231b553d8c6f006b9a6ddbfc734d634fc4a796535078e1e

SHA512
dd0fba01468250e884835f35c788f05a8f5d1d80d96b6be1dc4173c099352df9e5c647e6381a9f2b83ecb63f2cb6878078d98b196a82b55cf937fd751ce064dc

Download Submit
C:\Windows\SysWOW64\MSVCP50.dll
MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Windows\lhsp\tv\tv_enua.dll
MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Windows\lhsp\tv\tvenuax.dll
MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
\Windows\SysWOW64\msvcp50.dll
MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
\Windows\lhsp\tv\tv_enua.dll
MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
\Windows\lhsp\tv\tvenuax.dll
MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
memory/296-9-0x0000000000000000-mapping.dmp

Download
memory/512-22-0x0000000000000000-mapping.dmp

Download
memory/584-2-0x0000000000000000-mapping.dmp

Download
memory/916-10-0x0000000000000000-mapping.dmp

Download
memory/1800-5-0x0000000000000000-mapping.dmp

Download
memory/2100-19-0x0000000000000000-mapping.dmp

Download
memory/2252-14-0x0000000000000000-mapping.dmp

Download