Overview
overview
3Static
static
3Password_4...0].rar
windows7-x64
3Password_4...0].rar
windows10-2004-x64
3Common Fil...ay.dll
windows7-x64
3Common Fil...ay.dll
windows10-2004-x64
3Common Fil...ce.dll
windows7-x64
3Common Fil...ce.dll
windows10-2004-x64
3Common Fil...er.dll
windows7-x64
1Common Fil...er.dll
windows10-2004-x64
1Common Fil...er.dll
windows7-x64
1Common Fil...er.dll
windows10-2004-x64
1Common Fil...il.dll
windows7-x64
1Common Fil...il.dll
windows10-2004-x64
1Common Fil...ge.dll
windows7-x64
3Common Fil...ge.dll
windows10-2004-x64
3Common Fil...DK.dll
windows7-x64
1Common Fil...DK.dll
windows10-2004-x64
1Common Fil...sh.dll
windows7-x64
1Common Fil...sh.dll
windows10-2004-x64
1Common Fil...er.dll
windows7-x64
1Common Fil...er.dll
windows10-2004-x64
1Common Fil...et.dll
windows7-x64
1Common Fil...et.dll
windows10-2004-x64
1Common Fil...ec.dll
windows7-x64
1Common Fil...ec.dll
windows10-2004-x64
1Common Fil...on.dll
windows7-x64
3Common Fil...on.dll
windows10-2004-x64
3Common Fil...Ex.dll
windows7-x64
3Common Fil...Ex.dll
windows10-2004-x64
3Common Fil...ls.dll
windows7-x64
3Common Fil...ls.dll
windows10-2004-x64
3Common Fil...up.dll
windows7-x64
3Common Fil...up.dll
windows10-2004-x64
3Analysis
-
max time kernel
434s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-es -
resource tags
arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
02/08/2023, 23:39
Static task
static1
Behavioral task
behavioral1
Sample
Password_4455_Setup_____[E0D4A8110].rar
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral2
Sample
Password_4455_Setup_____[E0D4A8110].rar
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral3
Sample
Common Files/AVPlay.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral4
Sample
Common Files/AVPlay.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral5
Sample
Common Files/Appliance.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral6
Sample
Common Files/Appliance.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral7
Sample
Common Files/ArchiveSampleProvider.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral8
Sample
Common Files/ArchiveSampleProvider.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral9
Sample
Common Files/AudioSearchHelper.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral10
Sample
Common Files/AudioSearchHelper.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral11
Sample
Common Files/AudioUtil.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral12
Sample
Common Files/AudioUtil.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral13
Sample
Common Files/BStorage.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral14
Sample
Common Files/BStorage.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral15
Sample
Common Files/BasicSDK.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral16
Sample
Common Files/BasicSDK.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral17
Sample
Common Files/Blowfish.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral18
Sample
Common Files/Blowfish.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral19
Sample
Common Files/CDWriter.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral20
Sample
Common Files/CDWriter.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral21
Sample
Common Files/ClientSocket.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral22
Sample
Common Files/ClientSocket.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral23
Sample
Common Files/Codec.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral24
Sample
Common Files/Codec.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral25
Sample
Common Files/Common.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral26
Sample
Common Files/Common.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral27
Sample
Common Files/CtrlEx.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral28
Sample
Common Files/CtrlEx.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral29
Sample
Common Files/Ctrls.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral30
Sample
Common Files/Ctrls.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
Behavioral task
behavioral31
Sample
Common Files/DBBackup.dll
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral32
Sample
Common Files/DBBackup.dll
Resource
win10v2004-20230703-es
windows10-2004-x64
General
-
Target
Common Files/CDWriter.dll
-
Size
85KB
-
MD5
67cbd08a6db314bda975ce866677d40f
-
SHA1
db88c348f09c4176155457f4542db22e800a2f12
-
SHA256
cb606ecc3f4a3b72dacfd53ce4853dff36310d0a4bd9edcdb155b31b88d573a3
-
SHA512
99d66d14cc8acff9a5736c1b699211b0edee1aac4bc796fcd1b1854c23aa436dfb0d79758c50b81dd9e98ed71038261fae3e167c169132df311e45d1e944d1dd
-
SSDEEP
1536:xfJ2tkwQHkSZnLxK3UPDZtbjkxd+YUFTsCT+ouB6+0dkdDrlorrsGeQOt0jyyoEK:nBZN7ZZIUmCaoEt0dkdvlgsIOtNyDR
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CC3134E1-68DF-4DEE-AF39-649CC0A769CF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Common Files" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\ = "ICDWriter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CDWriter.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\TypeLib\ = "{DBC77A91-FD1D-4FAD-BE79-22241466DB97}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\TypeLib\ = "{DBC77A91-FD1D-4FAD-BE79-22241466DB97}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\TypeLib\ = "{DBC77A91-FD1D-4FAD-BE79-22241466DB97}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter\ = "Integral CDWriter Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\ = "_ICDWriterEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CDWriter.DLL\AppID = "{CC3134E1-68DF-4DEE-AF39-649CC0A769CF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter\CurVer\ = "Integral.Common.CDWriter.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\TypeLib\ = "{DBC77A91-FD1D-4FAD-BE79-22241466DB97}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter.1\CLSID\ = "{A022063F-6563-44DC-BC81-9435AFB5D2DF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\ = "_ICDWriterEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CC3134E1-68DF-4DEE-AF39-649CC0A769CF}\ = "Integral.Common.CDWriter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Common Files\\CDWriter.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\AppID = "{CC3134E1-68DF-4DEE-AF39-649CC0A769CF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\ProgID\ = "Integral.Common.CDWriter.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\TypeLib\ = "{DBC77A91-FD1D-4FAD-BE79-22241466DB97}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter.1\ = "Integral CDWriter Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBC77A91-FD1D-4FAD-BE79-22241466DB97}\1.0\ = "Integral.Common.CDWriter 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\ = "ICDWriter" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9CBD1B4-BFDF-4C5D-B408-5FB21316E07B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\ = "CDWriter Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Common Files\\CDWriter.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B1F211C-83DC-46C6-8977-627586EDE3A8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Integral.Common.CDWriter\CLSID\ = "{A022063F-6563-44DC-BC81-9435AFB5D2DF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A022063F-6563-44DC-BC81-9435AFB5D2DF}\VersionIndependentProgID\ = "Integral.Common.CDWriter" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2888 2588 regsvr32.exe 80 PID 2588 wrote to memory of 2888 2588 regsvr32.exe 80 PID 2588 wrote to memory of 2888 2588 regsvr32.exe 80