6fc19fd2f0cded11e6491fde9c6ea0d87655394c94584e753fdccd5f5911d82d

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PSPMencoder.exe
Size

2.5MB
MD5

11b559690c77f4ede4ec202bcac57dc0
SHA1

18bf6f19ff69d834746cbcd913bdaf8e36b6005d
SHA256

8b48ad51da280c7b40e1126d5bcadf5407f9fb45788323c9b9a3bffe384b0817
SHA512

89d1e9a0e3f9c23268921ddda7f495629e7781df5e758681144ce1d08c2ddf36d9e38ad5ae8115bec66e5423028eb9bab85d8f2825764abdb452deae4e064585
SSDEEP

49152:kMkl9vyAXNPCzvqNGgVvAtjpjEwBl5+NA2qlsGSfFC4LcWoRCdUPjRUiZ:6vN9VvAtjpjEwBlANA28rSf1oRCdUPjF

Score

7^/10

persistence upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVUpdateInstall.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/4772-84-0x0000000010000000-0x000000001001E000-memory.dmp	upx
behavioral18/memory/3000-85-0x0000000010000000-0x00000000100F0000-memory.dmp	upx
behavioral18/memory/4484-86-0x0000000010000000-0x00000000100F0000-memory.dmp	upx
behavioral18/memory/4484-118-0x0000000010000000-0x00000000100F0000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	PSPMencoder.exe
File opened (read-only)	\??\Y:	PSPMencoder.exe
File opened (read-only)	\??\A:	PSPMencoder.exe
File opened (read-only)	\??\L:	PSPMencoder.exe
File opened (read-only)	\??\O:	PSPMencoder.exe
File opened (read-only)	\??\X:	PSPMencoder.exe
File opened (read-only)	\??\K:	PSPMencoder.exe
File opened (read-only)	\??\P:	PSPMencoder.exe
File opened (read-only)	\??\Q:	PSPMencoder.exe
File opened (read-only)	\??\M:	PSPMencoder.exe
File opened (read-only)	\??\R:	PSPMencoder.exe
File opened (read-only)	\??\T:	PSPMencoder.exe
File opened (read-only)	\??\B:	PSPMencoder.exe
File opened (read-only)	\??\E:	PSPMencoder.exe
File opened (read-only)	\??\J:	PSPMencoder.exe
File opened (read-only)	\??\N:	PSPMencoder.exe
File opened (read-only)	\??\U:	PSPMencoder.exe
File opened (read-only)	\??\V:	PSPMencoder.exe
File opened (read-only)	\??\W:	PSPMencoder.exe
File opened (read-only)	\??\Z:	PSPMencoder.exe
File opened (read-only)	\??\G:	PSPMencoder.exe
File opened (read-only)	\??\H:	PSPMencoder.exe
File opened (read-only)	\??\I:	PSPMencoder.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8DB3A21B-4F5A-4D45-AE1A-0F03E72A6E8F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KOOPLAYER.CCTVPlayerCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\VersionIndependentProgID\ = "CCTVUpdateInstall.DownLoadProgressBar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\Interface\{042C7AAC-BD4A-4450-AA0C-AAC3A30CA19E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B0F8D4E-2C8D-4F2A-805B-0E35BF90B713}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\ProgID\ = "CCTVUpdateInstall.DownLoadProgressBar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QvodInsert.dll"	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVPL~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\ = "ReliPlayer.CCTV Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8821A59B-A115-430B-9F0D-089DB4F8B7F3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\Reli_CCTV.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\ = "{8821A59B-A115-430B-9F0D-089DB4F8B7F3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\ = "_DKooPlayer"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\TypeLib\ = "{8DB3A21B-4F5A-4D45-AE1A-0F03E72A6E8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\TypeLib\ = "{7B0F8D4E-2C8D-4F2A-805B-0E35BF90B713}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ = "_DVnetClinfoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{38943A5A-33BB-4D28-909A-BF52B994D26A}\ = "KooPlayer Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV.1\CLSID\ = "{8821A59C-A115-430b-9F0D-089DB4F8B7F3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{042C7AAC-BD4A-4450-AA0C-AAC3A30CA19E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV\CLSID\ = "{8821A59C-A115-430b-9F0D-089DB4F8B7F3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV\CurVer\ = "HZP.ReliPlayer.CCTV.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLDownLoadProgressBar.DownLoadProgressBar\ = "CCTVUpdateInstall"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VnetClinfo.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\TypeLib\{8DB3A21B-4F5A-4D45-AE1A-0F03E72A6E8F}\1.1\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ATLDownLoadProgressBar.DownLoadProgressBar\CLSID\ = "{AC414988-E5BB-4C2C-873B-EA53D2F3D23A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2566F758-FE4A-4691-9F93-30AF685BB403}\1.0\0\win32	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B1C04D4-FE66-4828-92E0-EEBCC8959BF3}\ = "_DKooPlayerEvents"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\WOW6432Node\CLSID\{C728DAB8-FDF5-4CD7-89DD-879D25794C77}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\TypeLib\{7B0F8D4E-2C8D-4F2A-805B-0E35BF90B713}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\TypeLib\{7B0F8D4E-2C8D-4F2A-805B-0E35BF90B713}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\CCTVUpdateInstall.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Interface\{80F1D1E4-9D20-4501-B0F1-196A6B302060}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B0F8D4E-2C8D-4F2A-805B-0E35BF90B713}\1.0\ = "ATLDownLoadProgressBar 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\ = "_HZPlayerEvents"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4484	PSPMencoder.exe
Token: SeCreatePagefilePrivilege	4484	PSPMencoder.exe
Token: SeShutdownPrivilege	4484	PSPMencoder.exe
Token: SeCreatePagefilePrivilege	4484	PSPMencoder.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4484	PSPMencoder.exe
4484	PSPMencoder.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe
4484	PSPMencoder.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 5076	4484	PSPMencoder.exe	88
PID 4484 wrote to memory of 5076	4484	PSPMencoder.exe	88
PID 4484 wrote to memory of 5076	4484	PSPMencoder.exe	88
PID 4484 wrote to memory of 4116	4484	PSPMencoder.exe	89
PID 4484 wrote to memory of 4116	4484	PSPMencoder.exe	89
PID 4484 wrote to memory of 4116	4484	PSPMencoder.exe	89
PID 4484 wrote to memory of 396	4484	PSPMencoder.exe	90
PID 4484 wrote to memory of 396	4484	PSPMencoder.exe	90
PID 4484 wrote to memory of 396	4484	PSPMencoder.exe	90
PID 4484 wrote to memory of 1608	4484	PSPMencoder.exe	91
PID 4484 wrote to memory of 1608	4484	PSPMencoder.exe	91
PID 4484 wrote to memory of 1608	4484	PSPMencoder.exe	91
PID 4484 wrote to memory of 4300	4484	PSPMencoder.exe	94
PID 4484 wrote to memory of 4300	4484	PSPMencoder.exe	94
PID 4484 wrote to memory of 4300	4484	PSPMencoder.exe	94
PID 396 wrote to memory of 4772	396	cmd.exe	96
PID 396 wrote to memory of 4772	396	cmd.exe	96
PID 396 wrote to memory of 4772	396	cmd.exe	96
PID 1608 wrote to memory of 3000	1608	cmd.exe	97
PID 1608 wrote to memory of 3000	1608	cmd.exe	97
PID 1608 wrote to memory of 3000	1608	cmd.exe	97
PID 4300 wrote to memory of 4328	4300	cmd.exe	98
PID 4300 wrote to memory of 4328	4300	cmd.exe	98
PID 4300 wrote to memory of 4328	4300	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe
"C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\QvodInsert.dll" /s
  2⤵
  PID:5076
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\VnetClinfo.ocx" /s
  2⤵
  - Modifies registry class
  PID:4116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regtvdllCCTVUpdateInstall.dll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVUpdateInstall.dll" /s
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regtvdllCCTVPlayer.ocx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVPlayer.ocx" /s
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regtvdllReli_CCTV.dll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\Reli_CCTV.dll" /s
    3⤵
    - Modifies registry class
    PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QvodCfg.ini

Filesize
292B

MD5
a671d3d075bd4fb6e24efbd2ff6b984a

SHA1
ec6cc7b141cdd5cd45a198dd20878f8038364040

SHA256
b315b489492b336207dea7f9a956d1da68405ddac8f5e0b81b14d5dead1e1f29

SHA512
bc194acfd64d274febee0d6876544c3a3ee759f84ecc0c4b098d1a88d2e26405f6c4d19d320b7ca63ff94f1e07e798eabbfbc3bebcf38489599c9b60207a56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.dll

Filesize
185B

MD5
3c67e841ee3260bdade7cfd0256d2bb0

SHA1
427ec711687486e7e44424ed3ca7c3d439931b28

SHA256
e8f9b15786e1954715fd0a238be23a336ac8530d19bb3df56b725b567273ca02

SHA512
b72cf0983ec465bfcf7a0835488426b4a00c14404f1bef183e966793f5cc8ee8034ef7f5d001b0efea1e20ffe41082849f22bd1932b27f454a1b3851b3ff15ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVPlayer.ocx.bat

Filesize
122B

MD5
c444d18db692685402218008375621d5

SHA1
16df7100180f98f284f7e1e03b12ad2acd67bfbe

SHA256
cdc0acafbe9318790cc423af79b78dbe1312566177f7968f193f0538948ed31d

SHA512
7ad2265cfb2995c738652accc6e4a52ca1b8360594e54687a01972954f6179ff7228ab1ab075387b7b2b14780b7b58235312288b39b781031a87e614ff5f4784

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVUpdateInstall.dll.bat

Filesize
136B

MD5
093157afd2189f85f6ff43f1c7d346f7

SHA1
fa3bf14e8815b35ce8e7ee82d3007f06321c2b5e

SHA256
f049fa2c8465660a3b10db1ecb6bc9e0d2aaa1e5176ee2b90e1ac6fc1a561a75

SHA512
df5b31570160516330f6a553dbe69ebb496107df6efa0023baa3f019fad7f5cd6da66c5a80116adbd344e3068086eba6068793c5309a1ee59b4c5306bb6ba62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllReli_CCTV.dll.bat

Filesize
120B

MD5
a3b3e0b89cf93ff854bac31c0f5dd47e

SHA1
0d92e673cc424d60eab529d8af01148fb106825b

SHA256
414e23a013713aadcc561d23d04f62c95b8f74c47fef2cdd6e1c67baae4db06f

SHA512
d98f8826f43a1642c23110b2c21538a145ae2ce54379deb6f55c2a291a3726337c48b519631dee7904be7810e08d21f7d3434024cda1bb1220997ec397583c61

Download Submit
memory/3000-85-0x0000000010000000-0x00000000100F0000-memory.dmp

Filesize
960KB

Download
memory/4116-2-0x0000000000EA0000-0x0000000000EAD000-memory.dmp

Filesize
52KB

Download
memory/4484-87-0x00000000047F0000-0x0000000004C6C000-memory.dmp

Filesize
4.5MB

Download
memory/4484-86-0x0000000010000000-0x00000000100F0000-memory.dmp

Filesize
960KB

Download
memory/4484-89-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4484-118-0x0000000010000000-0x00000000100F0000-memory.dmp

Filesize
960KB

Download
memory/4484-120-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/4772-84-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download