ed5fe5eb0d0146db50d8848052a4a9177c50ea00c51471f4489f1327370133d4

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Total Video Converter/QuickTime.dll
Size

84KB
MD5

d9db1bd388b64abe8f5ae43d7e84c7e7
SHA1

ae8bc630b2701629d61787c4a30c4d3e1c703dbc
SHA256

0b3e2cc73cf960fa8b24914f2645a4e0f0d2bcf6d6ec46f70d2442d3f812f94e
SHA512

c88ca0a02867f055b071a8dbf382cbfa71dfd5ad0760d275a3ec27faf35dd687c5d80c4f253e2c74937ed5686db25f4068beefc862432c53beb5caa592250f90
SSDEEP

1536:BAr8P1V8WVMg3Anc0Q2plPd0hevG9z7Vd6CZmjc:OrGV8WVMgGcL8Pd0kvG9v5mjc

Score

1^/10

Malware Config

Signatures

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Total Video Converter\\QuickTime.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}\CLSID = "{E41C6AFE-738D-4A56-957C-C352F41B3275}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mov	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mov\Source Filter = "{E41C6AFE-738D-4A56-957C-C352F41B3275}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}\FilterData = 0200000000002000020000000000000030706933080000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\ = "QTSrc"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}\FriendlyName = "CyberLink QuickTime Source Filter"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2604	2464	regsvr32.exe	31
PID 2464 wrote to memory of 2604	2464	regsvr32.exe	31
PID 2464 wrote to memory of 2604	2464	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Total Video Converter\QuickTime.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\regsvr32.exe
  /s "C:\Users\Admin\AppData\Local\Temp\Total Video Converter\QuickTime.dll"
  2⤵
  - Modifies registry class
  PID:2604

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads