Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
1UnparkCPU ...aR.rar
windows7-x64
3UnparkCPU ...aR.rar
windows10-2004-x64
3Suscribete...il.dll
windows7-x64
1Suscribete...il.dll
windows10-2004-x64
1Suscribete...er.dll
windows7-x64
1Suscribete...er.dll
windows10-2004-x64
1Suscribete...PU.exe
windows7-x64
1Suscribete...PU.exe
windows10-2004-x64
1Suscribete...st.exe
windows7-x64
3Suscribete...st.exe
windows10-2004-x64
3Suscribete...nifest
windows7-x64
3Suscribete...nifest
windows10-2004-x64
3Analysis
-
max time kernel
67s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2023, 10:07
Static task
static1
Behavioral task
behavioral1
Sample
UnparkCPU - KuasaR.rar
Resource
win7-20230220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
UnparkCPU - KuasaR.rar
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
Suscribete a KuasaR/Unpark CPU/Interop.MSUtil.dll
Resource
win7-20230220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
Suscribete a KuasaR/Unpark CPU/Interop.MSUtil.dll
Resource
win10v2004-20230221-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
Suscribete a KuasaR/Unpark CPU/LogParser.dll
Resource
win7-20230220-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral6
Sample
Suscribete a KuasaR/Unpark CPU/LogParser.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral7
Sample
Suscribete a KuasaR/Unpark CPU/UnparkCPU.exe
Resource
win7-20230220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
Suscribete a KuasaR/Unpark CPU/UnparkCPU.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
Suscribete a KuasaR/Unpark CPU/UnparkCPU.vshost.exe
Resource
win7-20230220-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral10
Sample
Suscribete a KuasaR/Unpark CPU/UnparkCPU.vshost.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral11
Sample
Suscribete a KuasaR/Unpark CPU/UnparkCPU.vshost.exe.manifest
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral12
Sample
Suscribete a KuasaR/Unpark CPU/UnparkCPU.vshost.exe.manifest
Resource
win10v2004-20230221-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
Suscribete a KuasaR/Unpark CPU/LogParser.dll
-
Size
1.2MB
-
MD5
19a0224e0d175ba8c2a55c17d8019a4c
-
SHA1
025775ba74ebea2262d72335a3146817793f1acb
-
SHA256
75fd4411d31d91c5b53f1554d585f892db303e743b82ee6c9f6007757130b105
-
SHA512
3f0fb98c4c33c75f8411d271efac6eb2fdcd26d473eb46686c0cf41b4546bfabe278c254554559cf9bc4496cd04893bacbc10ee680169d1e96b215138435da72
-
SSDEEP
24576:3vPuRuXVp3FHPl5MpvofEHlrid0l9hhhVW:P3FHPl5MVHFid0l9hhhVW
Score
1/10
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.SYSLOGOutputFormat\ = "LogQuery.SYSLOGOutputFormat" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF3F77B5-028D-4DE3-BDE7-8D84C30573C0}\TypeLib\ = "{A7E75D86-41CD-4B6E-B4BD-CC2ED34B3FB0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7A5A3711-A707-4381-9C86-9ECADFB88975}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.RegistryInputFormat\CLSID\ = "{C17BDE3A-CDBD-45E0-9BCF-FD286A344EE8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0B28DCB-F1D8-48A3-B4F4-FC28BEBA5EBA}\ = "ICOMIISNCSAInputContext" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0776E95A-34E3-4488-886E-094BA16BB6BD}\VersionIndependentProgID\ = "MSUtil.LogQuery.XMLInputFormat" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80206B7F-6424-41FA-984C-7DBD92CE0C48} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B331653F-522E-4FBD-BEA2-D47ED26DA8CC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Suscribete a KuasaR\\Unpark CPU\\LogParser.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.TextLineInputFormat.1\CLSID\ = "{E17FE5B0-C2BC-4C97-8EBF-8EF2F763FCA8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F3A6096-C1A3-428D-BE12-EEA7CDB3627F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{342148B3-7F11-4F39-A287-6829F83FABDA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Suscribete a KuasaR\\Unpark CPU\\LogParser.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC00A85E-22A3-4E73-8FA8-088EE78B1DC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0B28DCB-F1D8-48A3-B4F4-FC28BEBA5EBA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09631558-6E49-4D0D-927F-628BA883CB1D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80C997CD-A676-4028-8860-BB5F2F8278F6}\ = "LogQuery.CSVOutputFormat" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0FF3746-6CA6-4AB6-AE64-79A26FA82950}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EBC373B-4E35-455A-8611-8A9ECE6689F5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0173E9B3-19C1-4A25-995B-4B19EBD68025}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.RegistryInputFormat regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.CSVOutputFormat\CurVer\ = "MSUtil.LogQuery.CSVOutputFormat.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.DataGridOutputFormat\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0FF3746-6CA6-4AB6-AE64-79A26FA82950}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76DDDBC5-5DFF-4A2B-9E09-4E1C26C6A938}\TypeLib\ = "{A7E75D86-41CD-4B6E-B4BD-CC2ED34B3FB0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISBINInputFormat\ = "LogQuery.IISBINInputFormat" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.ETWInputFormat\ = "LogQuery.ETWInputFormat" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.XMLOutputFormat\ = "LogQuery.XMLOutputFormat" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C4C2DB5-61C5-4D45-A66F-2071EC069328} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85B21BA3-4271-4B10-A837-B715FDF3B0A1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISODBCInputFormat\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISIISMSIDInputFormat\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA56E00E-E07C-4AB0-954E-0F901E9179A0}\ = "ILogStringCollection" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1AAA95-FD08-449B-BD16-E87083D8F087}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6120A3D1-AD55-41F9-ADB0-7266E2623364}\ = "LogQuery.IISW3CInputFormat" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{252A24E7-067F-4875-8510-7533F8B6915E}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA8BAB06-715C-49F5-A94F-3E70B1CE38C6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.W3CInputFormat.1\CLSID\ = "{3ED0372B-4117-4CA3-A638-EF9BF3720248}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1979F191-21AA-489D-BCDC-8CB6DC60AF42} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A5A3711-A707-4381-9C86-9ECADFB88975} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2547428D-535E-4467-9C0C-77511E47BE0D}\ = "ICOMTemplateOutputContext" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4E1AD8B6-39B6-4802-90EF-B5D86774D815}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.W3COutputFormat.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISOutputFormat\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85B21BA3-4271-4B10-A837-B715FDF3B0A1}\ = "ICOMADSInputContext" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F3A6096-C1A3-428D-BE12-EEA7CDB3627F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISIISInputFormat.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.CSVOutputFormat\ = "LogQuery.CSVOutputFormat" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A6E2BE0-96E4-4985-87AF-BDC668EA15A5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.TextLineInputFormat.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.ADSInputFormat.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BE3E5B2-BBC3-40BB-AAFE-C94DDA631D32}\ProgID\ = "MSUtil.LogQuery.EventLogInputFormat.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.SYSLOGOutputFormat.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA56E00E-E07C-4AB0-954E-0F901E9179A0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC00A85E-22A3-4E73-8FA8-088EE78B1DC5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3040E2D1-C692-4081-91BB-75F08FEE0EF6}\ = "MSUtil" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A5A3711-A707-4381-9C86-9ECADFB88975}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2690326C-0A98-41A0-A53A-BE0D58F0E936}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.W3CInputFormat\ = "LogQuery.W3CInputFormat" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A5A3711-A707-4381-9C86-9ECADFB88975}\TypeLib\ = "{A7E75D86-41CD-4B6E-B4BD-CC2ED34B3FB0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2547428D-535E-4467-9C0C-77511E47BE0D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISW3CInputFormat\ = "LogQuery.IISW3CInputFormat" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.IISIISMSIDInputFormat regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSUtil.LogQuery.RegistryInputFormat\CurVer\ = "MSUtil.LogQuery.RegistryInputFormat.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7E75D86-41CD-4B6E-B4BD-CC2ED34B3FB0}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B53E5AF6-3D61-42B1-8F65-4F4F7368EC59} regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4712 3212 regsvr32.exe 84 PID 3212 wrote to memory of 4712 3212 regsvr32.exe 84 PID 3212 wrote to memory of 4712 3212 regsvr32.exe 84
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Suscribete a KuasaR\Unpark CPU\LogParser.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\Suscribete a KuasaR\Unpark CPU\LogParser.dll"2⤵
- Modifies registry class
PID:4712
-