05f4df533dce0752fa82547bf93d1b4b7db6ce942e24e86e50ba4c7d76af3052

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npDvr.dll
Size

3.3MB
MD5

89967d4fcff2290d437acb365bb08824
SHA1

90c8d98e9ee32f0662cba4b92be47d7de09b3dc5
SHA256

99bb3dbf320649fa9fabc070dadec8ea39ddf9ff5187e09cea1831fa47aa3687
SHA512

233f92994fca4ed55ca424cfd1fcfe1be3b339065b5b44a2fa6b11fe8a12edf8df58194334ac6fae2ccabad4711cc5c5e014c7967ee8443a8b93ee08cfa93920
SSDEEP

24576:XBm+JYs3zbO2CYG0jNBXYGQdX2ngGBAs++A42494k4RRk4k44Vk9Kk4k44+k9f44:01s3zJPG0plYGQU++r8

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\ProgID\ = "NETDVROCX.NetDvrOcxCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\ = "_DNetDvrOcx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NETDVROCX.NetDvrOcxCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0531EAEB-4282-4E16-B15C-955D70FC8F92}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\ = "NetDvrOcx ActiveX Control module"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\TypeLib\ = "{E7D2D014-CFFB-4C0B-92C6-DD336553271B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0531EAEB-4282-4E16-B15C-955D70FC8F92}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\npDvr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\TypeLib\ = "{E7D2D014-CFFB-4C0B-92C6-DD336553271B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0531EAEB-4282-4E16-B15C-955D70FC8F92}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\ = "NetDvrOcx Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\npDvr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\npDvr.dll, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\TypeLib\ = "{E7D2D014-CFFB-4C0B-92C6-DD336553271B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A60417D-18F7-4BAD-88F1-1F2759CD7EF7}\ = "_DNetDvrOcxEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0531EAEB-4282-4E16-B15C-955D70FC8F92}\ = "NetDvrOcx Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NETDVROCX.NetDvrOcxCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NETDVROCX.NetDvrOcxCtrl.1\CLSID\ = "{D55928C0-4325-451B-AE1F-05771C3693C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}\TypeLib\ = "{E7D2D014-CFFB-4C0B-92C6-DD336553271B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7D2D014-CFFB-4C0B-92C6-DD336553271B}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D55928C0-4325-451B-AE1F-05771C3693C6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5C58CD4C-C4CB-49AA-A848-3DF147674BCF}\ = "_DNetDvrOcx"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28
PID 1688 wrote to memory of 1992	1688	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\npDvr.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\npDvr.dll
  2⤵
  - Modifies registry class
  PID:1992

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads