5c8c5985ccadf49c31db958ab37bf9364bd9275501dd186c60eb62a5fee4b34b

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PSPMencoder.exe
Size

2.5MB
MD5

8464394f47d1b2b00944b6bd75ba5226
SHA1

b3b02c06403a64f9d360225f7923f1e19c00a539
SHA256

31405f0862472d9877ee66fc592c5d50e0ec5e44725831932593088202cca642
SHA512

f413ed1a2f966e9364138b30f23320e9d531d7926013352d70c7896bb4b8fe926b76ec7546fcf1a50e5068624012312b275d5067f3f44c82b8a406c17c029cfe
SSDEEP

49152:SQQ99NtzK6mlE+t7U20LlzFAhVf+5XWV6lFO9RC4LcWoRCdUPjRUir:aD+dU20LlzFAhVW5XWQLO9RoRCdUPjRJ

Score

7^/10

persistence upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVUpdateInstall.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral17/memory/2676-97-0x0000000010000000-0x00000000100F0000-memory.dmp	upx
behavioral17/memory/2768-99-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral17/memory/2568-101-0x0000000010000000-0x00000000100F0000-memory.dmp	upx
behavioral17/memory/2568-111-0x0000000010000000-0x00000000100F0000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	PSPMencoder.exe
File opened (read-only)	\??\B:	PSPMencoder.exe
File opened (read-only)	\??\L:	PSPMencoder.exe
File opened (read-only)	\??\Q:	PSPMencoder.exe
File opened (read-only)	\??\T:	PSPMencoder.exe
File opened (read-only)	\??\X:	PSPMencoder.exe
File opened (read-only)	\??\I:	PSPMencoder.exe
File opened (read-only)	\??\J:	PSPMencoder.exe
File opened (read-only)	\??\R:	PSPMencoder.exe
File opened (read-only)	\??\V:	PSPMencoder.exe
File opened (read-only)	\??\U:	PSPMencoder.exe
File opened (read-only)	\??\W:	PSPMencoder.exe
File opened (read-only)	\??\Z:	PSPMencoder.exe
File opened (read-only)	\??\E:	PSPMencoder.exe
File opened (read-only)	\??\G:	PSPMencoder.exe
File opened (read-only)	\??\K:	PSPMencoder.exe
File opened (read-only)	\??\S:	PSPMencoder.exe
File opened (read-only)	\??\O:	PSPMencoder.exe
File opened (read-only)	\??\P:	PSPMencoder.exe
File opened (read-only)	\??\A:	PSPMencoder.exe
File opened (read-only)	\??\H:	PSPMencoder.exe
File opened (read-only)	\??\M:	PSPMencoder.exe
File opened (read-only)	\??\N:	PSPMencoder.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ = "_DVnetClinfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\TypeLib\{8DB3A21B-4F5A-4D45-AE1A-0F03E72A6E8F}\1.1\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\Insertable	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\Interface\{042C7AAC-BD4A-4450-AA0C-AAC3A30CA19E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\ = "VnetClinfo Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5}\InprocServer32	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B0F8D4E-2C8D-4F2A-805B-0E35BF90B713}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\ATLDownLoadProgressBar.DownLoadProgressBar\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\ATLDownLoadProgressBar.DownLoadProgressBar\ = "CCTVUpdateInstall"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KOOPLAYER.CCTVPlayerCtrl.1\ = "KooPlayer Control"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV\ = "ReliPlayer.CCTV Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{603180C6-8421-4a33-9B94-E5AFC9D68CD9}\ = "ReliPlayer.CCTV"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{603180C6-8421-4a33-9B94-E5AFC9D68CD9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ = "VnetClinfo Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}\1.0	PSPMencoder.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\TypeLib\ = "{8DB3A21B-4F5A-4D45-AE1A-0F03E72A6E8F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32	PSPMencoder.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\Interface\{042C7AAC-BD4A-4450-AA0C-AAC3A30CA19E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{042C7AAC-BD4A-4450-AA0C-AAC3A30CA19E}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\Interface\{042C7AAC-BD4A-4450-AA0C-AAC3A30CA19E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QvodInsert.dll"	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\ = "{8821A59B-A115-430B-9F0D-089DB4F8B7F3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2566F758-FE4A-4691-9F93-30AF685BB403}	PSPMencoder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVUpdateInstall.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\KOOPLAYER.CCTVPlayerCtrl.1\CLSID\ = "{C728DAB8-FDF5-4CD7-89DD-879D25794C77}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ = "_DKooPlayerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\Version	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Wow6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}\1.0\0\win32	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\RealNetworks\Preferences\DT_Codecs\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Codecs"	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLDownLoadProgressBar.DownLoadProgressBar\CurVer	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2568	PSPMencoder.exe
2568	PSPMencoder.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe
2568	PSPMencoder.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2268	2568	PSPMencoder.exe	28
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2800	2568	PSPMencoder.exe	29
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2704	2568	PSPMencoder.exe	30
PID 2568 wrote to memory of 2872	2568	PSPMencoder.exe	32
PID 2568 wrote to memory of 2872	2568	PSPMencoder.exe	32
PID 2568 wrote to memory of 2872	2568	PSPMencoder.exe	32
PID 2568 wrote to memory of 2872	2568	PSPMencoder.exe	32
PID 2568 wrote to memory of 2856	2568	PSPMencoder.exe	34
PID 2568 wrote to memory of 2856	2568	PSPMencoder.exe	34
PID 2568 wrote to memory of 2856	2568	PSPMencoder.exe	34
PID 2568 wrote to memory of 2856	2568	PSPMencoder.exe	34
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2872 wrote to memory of 2676	2872	cmd.exe	36
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	35
PID 2856 wrote to memory of 2904	2856	cmd.exe	38
PID 2856 wrote to memory of 2904	2856	cmd.exe	38
PID 2856 wrote to memory of 2904	2856	cmd.exe	38
PID 2856 wrote to memory of 2904	2856	cmd.exe	38
PID 2856 wrote to memory of 2904	2856	cmd.exe	38
PID 2856 wrote to memory of 2904	2856	cmd.exe	38
PID 2856 wrote to memory of 2904	2856	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe
"C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\QvodInsert.dll" /s
  2⤵
  PID:2268
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\VnetClinfo.ocx" /s
  2⤵
  - Modifies registry class
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regtvdllCCTVUpdateInstall.dll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVUpdateInstall.dll" /s
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regtvdllCCTVPlayer.ocx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVPlayer.ocx" /s
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regtvdllReli_CCTV.dll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\Reli_CCTV.dll" /s
    3⤵
    - Modifies registry class
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodCfg.ini

Filesize
292B

MD5
a671d3d075bd4fb6e24efbd2ff6b984a

SHA1
ec6cc7b141cdd5cd45a198dd20878f8038364040

SHA256
b315b489492b336207dea7f9a956d1da68405ddac8f5e0b81b14d5dead1e1f29

SHA512
bc194acfd64d274febee0d6876544c3a3ee759f84ecc0c4b098d1a88d2e26405f6c4d19d320b7ca63ff94f1e07e798eabbfbc3bebcf38489599c9b60207a56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.dll

Filesize
185B

MD5
3a03fd02ec2c4a8594040d25e1234ec2

SHA1
41c9dbc98f14f04bd88b2149d615f96758bbddb1

SHA256
207ccf7b56f8a780d2cc2b744d32e52fdd4ce6074ca94ad4153160469f7e99ad

SHA512
a5a3d4c8de44eb81fbf4d036809b12318f919a3941d9e99f8e8d7406c4eb4874deb274905a8d20cbf44c64b27e0b2d822cdde661e9ea88933c889e5c9e5e9461

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVPlayer.ocx.bat

Filesize
122B

MD5
c444d18db692685402218008375621d5

SHA1
16df7100180f98f284f7e1e03b12ad2acd67bfbe

SHA256
cdc0acafbe9318790cc423af79b78dbe1312566177f7968f193f0538948ed31d

SHA512
7ad2265cfb2995c738652accc6e4a52ca1b8360594e54687a01972954f6179ff7228ab1ab075387b7b2b14780b7b58235312288b39b781031a87e614ff5f4784

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVUpdateInstall.dll.bat

Filesize
136B

MD5
093157afd2189f85f6ff43f1c7d346f7

SHA1
fa3bf14e8815b35ce8e7ee82d3007f06321c2b5e

SHA256
f049fa2c8465660a3b10db1ecb6bc9e0d2aaa1e5176ee2b90e1ac6fc1a561a75

SHA512
df5b31570160516330f6a553dbe69ebb496107df6efa0023baa3f019fad7f5cd6da66c5a80116adbd344e3068086eba6068793c5309a1ee59b4c5306bb6ba62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllReli_CCTV.dll.bat

Filesize
120B

MD5
a3b3e0b89cf93ff854bac31c0f5dd47e

SHA1
0d92e673cc424d60eab529d8af01148fb106825b

SHA256
414e23a013713aadcc561d23d04f62c95b8f74c47fef2cdd6e1c67baae4db06f

SHA512
d98f8826f43a1642c23110b2c21538a145ae2ce54379deb6f55c2a291a3726337c48b519631dee7904be7810e08d21f7d3434024cda1bb1220997ec397583c61

Download Submit
memory/2568-101-0x0000000010000000-0x00000000100F0000-memory.dmp

Filesize
960KB

Download
memory/2568-102-0x0000000004DB0000-0x000000000522C000-memory.dmp

Filesize
4.5MB

Download
memory/2568-104-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2568-111-0x0000000010000000-0x00000000100F0000-memory.dmp

Filesize
960KB

Download
memory/2568-113-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2676-97-0x0000000010000000-0x00000000100F0000-memory.dmp

Filesize
960KB

Download
memory/2768-99-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2800-2-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download