52ed440aa643c06a63db44a5572d2c97225d11934fa36c8b54172cf6de3cdc0c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PSPMencoder.exe
Size

2.5MB
MD5

8464394f47d1b2b00944b6bd75ba5226
SHA1

b3b02c06403a64f9d360225f7923f1e19c00a539
SHA256

31405f0862472d9877ee66fc592c5d50e0ec5e44725831932593088202cca642
SHA512

f413ed1a2f966e9364138b30f23320e9d531d7926013352d70c7896bb4b8fe926b76ec7546fcf1a50e5068624012312b275d5067f3f44c82b8a406c17c029cfe
SSDEEP

49152:SQQ99NtzK6mlE+t7U20LlzFAhVf+5XWV6lFO9RC4LcWoRCdUPjRUir:aD+dU20LlzFAhVW5XWQLO9RoRCdUPjRJ

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}\1.0\HELPDIR	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{603180C6-8421-4a33-9B94-E5AFC9D68CD9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Reli_CCTV.dll	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\ = "{8821A59B-A115-430B-9F0D-089DB4F8B7F3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\RealNetworks\Preferences\DT_Codecs	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8821A59B-A115-430B-9F0D-089DB4F8B7F3}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\ = "VnetClinfo ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ = "VnetClinfo Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNETCL~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\Reli_CCTV.dll, 102"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV.1\CLSID\ = "{8821A59C-A115-430b-9F0D-089DB4F8B7F3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\ = "VnetClinfo Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6FB6E89-628F-4597-A52B-0AADBE5713CA}	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8821A59B-A115-430B-9F0D-089DB4F8B7F3}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNETCL~1.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNETCL~1.OCX, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2566F758-FE4A-4691-9F93-30AF685BB403}\1.0	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}\1.0\0\win32	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}\1.0\0	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59D-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\ = "IHZPlayerControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ = "_DVnetClinfoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A6FB6E89-628F-4597-A52B-0AADBE5713CA}\1.0\0	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{432F118C-DB79-4561-9799-CC95EA78208B}\InprocServer32	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430B-9F0D-089DB4F8B7F3}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\RealNetworks\Preferences\DT_Codecs\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Codecs"	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8821A59C-A115-430b-9F0D-089DB4F8B7F3}\AppID = "{603180C6-8421-4a33-9B94-E5AFC9D68CD9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8821A59B-A115-430B-9F0D-089DB4F8B7F3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mod\\Reli_CCTV.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ = "_DVnetClinfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QvodInsert.dll, 101"	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Codecs\\ColorFilter.ax"	PSPMencoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA4B0970-69E9-4323-AB2F-DBB33BDA414E}\1.0\HELPDIR	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8821A59B-A115-430B-9F0D-089DB4F8B7F3}\1.0\ = "HZPlayerControl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8821A59A-A115-430B-9F0D-089DB4F8B7F3}\TypeLib\ = "{8821A59B-A115-430B-9F0D-089DB4F8B7F3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ = "_DVnetClinfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4B5BEEE2-1E16-4DE5-B69E-603581B6C018}	PSPMencoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HZP.ReliPlayer.CCTV.1\ = "ReliPlayer.CCTV Class"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3828	PSPMencoder.exe
3828	PSPMencoder.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe
3828	PSPMencoder.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4900	3828	PSPMencoder.exe	90
PID 3828 wrote to memory of 4900	3828	PSPMencoder.exe	90
PID 3828 wrote to memory of 4900	3828	PSPMencoder.exe	90
PID 3828 wrote to memory of 4280	3828	PSPMencoder.exe	91
PID 3828 wrote to memory of 4280	3828	PSPMencoder.exe	91
PID 3828 wrote to memory of 4280	3828	PSPMencoder.exe	91
PID 3828 wrote to memory of 1756	3828	PSPMencoder.exe	92
PID 3828 wrote to memory of 1756	3828	PSPMencoder.exe	92
PID 3828 wrote to memory of 1756	3828	PSPMencoder.exe	92
PID 3828 wrote to memory of 2728	3828	PSPMencoder.exe	93
PID 3828 wrote to memory of 2728	3828	PSPMencoder.exe	93
PID 3828 wrote to memory of 2728	3828	PSPMencoder.exe	93
PID 3828 wrote to memory of 884	3828	PSPMencoder.exe	96
PID 3828 wrote to memory of 884	3828	PSPMencoder.exe	96
PID 3828 wrote to memory of 884	3828	PSPMencoder.exe	96
PID 1756 wrote to memory of 2852	1756	cmd.exe	98
PID 1756 wrote to memory of 2852	1756	cmd.exe	98
PID 1756 wrote to memory of 2852	1756	cmd.exe	98
PID 2728 wrote to memory of 3136	2728	cmd.exe	99
PID 2728 wrote to memory of 3136	2728	cmd.exe	99
PID 2728 wrote to memory of 3136	2728	cmd.exe	99
PID 884 wrote to memory of 2776	884	cmd.exe	100
PID 884 wrote to memory of 2776	884	cmd.exe	100
PID 884 wrote to memory of 2776	884	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe
"C:\Users\Admin\AppData\Local\Temp\PSPMencoder.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\QvodInsert.dll" /s
  2⤵
  PID:4900
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\VnetClinfo.ocx" /s
  2⤵
  - Modifies registry class
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regtvdllCCTVUpdateInstall.dll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVUpdateInstall.dll" /s
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regtvdllCCTVPlayer.ocx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\CCTVPlayer.ocx" /s
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c regtvdllReli_CCTV.dll.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\mod\Reli_CCTV.dll" /s
    3⤵
    - Modifies registry class
    PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodCfg.ini

Filesize
292B

MD5
a671d3d075bd4fb6e24efbd2ff6b984a

SHA1
ec6cc7b141cdd5cd45a198dd20878f8038364040

SHA256
b315b489492b336207dea7f9a956d1da68405ddac8f5e0b81b14d5dead1e1f29

SHA512
bc194acfd64d274febee0d6876544c3a3ee759f84ecc0c4b098d1a88d2e26405f6c4d19d320b7ca63ff94f1e07e798eabbfbc3bebcf38489599c9b60207a56b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.dll

Filesize
185B

MD5
3a03fd02ec2c4a8594040d25e1234ec2

SHA1
41c9dbc98f14f04bd88b2149d615f96758bbddb1

SHA256
207ccf7b56f8a780d2cc2b744d32e52fdd4ce6074ca94ad4153160469f7e99ad

SHA512
a5a3d4c8de44eb81fbf4d036809b12318f919a3941d9e99f8e8d7406c4eb4874deb274905a8d20cbf44c64b27e0b2d822cdde661e9ea88933c889e5c9e5e9461

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVPlayer.ocx.bat

Filesize
122B

MD5
c444d18db692685402218008375621d5

SHA1
16df7100180f98f284f7e1e03b12ad2acd67bfbe

SHA256
cdc0acafbe9318790cc423af79b78dbe1312566177f7968f193f0538948ed31d

SHA512
7ad2265cfb2995c738652accc6e4a52ca1b8360594e54687a01972954f6179ff7228ab1ab075387b7b2b14780b7b58235312288b39b781031a87e614ff5f4784

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllCCTVUpdateInstall.dll.bat

Filesize
136B

MD5
093157afd2189f85f6ff43f1c7d346f7

SHA1
fa3bf14e8815b35ce8e7ee82d3007f06321c2b5e

SHA256
f049fa2c8465660a3b10db1ecb6bc9e0d2aaa1e5176ee2b90e1ac6fc1a561a75

SHA512
df5b31570160516330f6a553dbe69ebb496107df6efa0023baa3f019fad7f5cd6da66c5a80116adbd344e3068086eba6068793c5309a1ee59b4c5306bb6ba62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\regtvdllReli_CCTV.dll.bat

Filesize
120B

MD5
a3b3e0b89cf93ff854bac31c0f5dd47e

SHA1
0d92e673cc424d60eab529d8af01148fb106825b

SHA256
414e23a013713aadcc561d23d04f62c95b8f74c47fef2cdd6e1c67baae4db06f

SHA512
d98f8826f43a1642c23110b2c21538a145ae2ce54379deb6f55c2a291a3726337c48b519631dee7904be7810e08d21f7d3434024cda1bb1220997ec397583c61

Download Submit
memory/4280-2-0x00000000009B0000-0x00000000009BD000-memory.dmp

Filesize
52KB

Download