f3004cba2edabdd7c66e29381743efd9301bc612d1141eaed327213737476843

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 12:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CPFilters.dll
Size

693KB
MD5

5b99119f715f5935dd9b8906824ca7a1
SHA1

aa25407f15cc6d9b6b67d7a915893017a83753fd
SHA256

f3004cba2edabdd7c66e29381743efd9301bc612d1141eaed327213737476843
SHA512

e454f80cde818018897f522b931cd15f66d149803ee32d118926d1c065a666d293ed528cfe6d17ee11fad114b3e8ea7f65c6f3e3528ebee6f323de9788ec34a1
SSDEEP

12288:jJaZlqnugiCWm8lGJFQNMg7panf5YaNos5PHxzHDzDLwxxDYjjsuPrl4RnkTfMk:F++ugiCpFJFQNMg7panf5Yeo4PRzjzek

Score

1^/10

Malware Config

Signatures

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{76B4FCAC-BB29-11DB-96F1-005056C00008}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09144FD6-BB29-11DB-96F1-005056C00008}\FriendlyName = "Decrypt/DeTag"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09144FD6-BB29-11DB-96F1-005056C00008}\CLSID = "{09144FD6-BB29-11DB-96F1-005056C00008}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA ETFilter\FilterData = 02000000000020000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4A56AF32-C21F-11DB-96FA-005056C00008}\FriendlyName = "PBDA CP Filters"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA ETFilter	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C2E132-C29B-11DB-96FA-005056C00008}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09144FD6-BB29-11DB-96F1-005056C00008}\FilterData = 02000000000060000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4A56AF32-C21F-11DB-96FA-005056C00008}\CLSID = "{4A56AF32-C21F-11DB-96FA-005056C00008}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4A56AF32-C21F-11DB-96FA-005056C00008}\Merit = "6291456"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76B4FCAC-BB29-11DB-96F1-005056C00008}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C2E132-C29B-11DB-96FA-005056C00008}\FriendlyName = "Protected Tuner"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{76B4FCAC-BB29-11DB-96F1-005056C00008}\FriendlyName = "ETFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{76B4FCAC-BB29-11DB-96F1-005056C00008}\CLSID = "{76B4FCAC-BB29-11DB-96F1-005056C00008}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{76B4FCAC-BB29-11DB-96F1-005056C00008}\FilterData = 02000000000020000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA DTFilter	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA DTFilter\FriendlyName = "PBDA DTFilter"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA DTFilter\FilterData = 020000000000600002000000000000003070693300000000000000000400000000000000000000003074793300000000600100007001000031747933000000008001000070010000327479330000000090010000700100003374793300000000a0010000700100003170693308000000000000000e0000000000000000000000307479330000000080010000b0010000317479330000000080010000c0010000327479330000000060010000d0010000337479330000000060010000e0010000347479330000000060010000f001000035747933000000006001000000020000367479330000000060010000100200003774793300000000a0010000200200003874793300000000a0010000300200003974793300000000a0010000400200003a7479330000000050020000600200003b7479330000000050020000700200003c7479330000000050020000800200003d7479330000000050020000900200006175647300001000800000aa00389b7128bdad46d06f964793b2155c51dc048d7669647300001000800000aa00389b71898a8bb849b0804cadcf5898985e22c16c175f45064bce479aef8caef73df7b526806de046dbcf11b4d100805f6cbbea4832363400001000800000aa00389b7181eb36e44f52ce119f530020af0ba7702c806de046dbcf11b4d100805f6cbbea2b806de046dbcf11b4d100805f6cbbea0016000000001000800000aa00389b710216000000001000800000aa00389b715be592c82d25b542a316d997e7a5d995b088d91efc3f23458725347beec1a8a079859f4af86b92438a6dd2dd09fa786120806de046dbcf11b4d100805f6cbbeae3762af70aebd011ace40000c0cc16bac3cbff34b3d571419002d4c60301697f7dd69d05552e414d8d1b01f5e4f50607286ddc36a6f1164290489cfcefeb5eba	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C2E132-C29B-11DB-96FA-005056C00008}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA PTFilter\FriendlyName = "PBDA PTFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA ETFilter\FriendlyName = "PBDA ETFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA ETFilter\CLSID = "{76B4FCAC-BB29-11DB-96F1-005056C00008}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA DTFilter\CLSID = "{09144FD6-BB29-11DB-96F1-005056C00008}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76B4FCAC-BB29-11DB-96F1-005056C00008}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C2E132-C29B-11DB-96FA-005056C00008}\CLSID = "{89C2E132-C29B-11DB-96FA-005056C00008}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA PTFilter	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{76B4FCAC-BB29-11DB-96F1-005056C00008}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C2E132-C29B-11DB-96FA-005056C00008}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09144FD6-BB29-11DB-96F1-005056C00008}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C2E132-C29B-11DB-96FA-005056C00008}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C2E132-C29B-11DB-96FA-005056C00008}\FilterData = 02000000000020000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09144FD6-BB29-11DB-96F1-005056C00008}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09144FD6-BB29-11DB-96F1-005056C00008}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09144FD6-BB29-11DB-96F1-005056C00008}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{4A56AF32-C21F-11DB-96FA-005056C00008}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA PTFilter\CLSID = "{89C2E132-C29B-11DB-96FA-005056C00008}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A56AF32-C21F-11DB-96FA-005056C00008}\Instance\PBDA PTFilter\FilterData = 02000000000020000000000000000000	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1956	1896	regsvr32.exe	83
PID 1896 wrote to memory of 1956	1896	regsvr32.exe	83
PID 1896 wrote to memory of 1956	1896	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CPFilters.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\CPFilters.dll
  2⤵
  - Modifies registry class
  PID:1956

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads