Overview
overview
7Static
static
52de691adb4...2d.exe
windows7-x64
72de691adb4...2d.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3kuaibo.exe
windows7-x64
7kuaibo.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Codecs/CoreAVC.dll
windows7-x64
5Codecs/CoreAVC.dll
windows10-2004-x64
5Codecs/FLV...er.dll
windows7-x64
3Codecs/FLV...er.dll
windows10-2004-x64
3Codecs/MP4...er.dll
windows7-x64
3Codecs/MP4...er.dll
windows10-2004-x64
3Codecs/Mat...er.dll
windows7-x64
3Codecs/Mat...er.dll
windows10-2004-x64
3Codecs/Mpa...er.dll
windows7-x64
3Codecs/Mpa...er.dll
windows10-2004-x64
3Codecs/QMV...er.dll
windows7-x64
3Codecs/QMV...er.dll
windows10-2004-x64
3Codecs/Qmv...er.dll
windows7-x64
3Codecs/Qmv...er.dll
windows10-2004-x64
3Codecs/Qvo...ec.dll
windows7-x64
3Codecs/Qvo...ec.dll
windows10-2004-x64
3Codecs/QvodSound.dll
windows7-x64
3Codecs/QvodSound.dll
windows10-2004-x64
3Codecs/QvodSource.dll
windows7-x64
3Codecs/QvodSource.dll
windows10-2004-x64
3Analysis
-
max time kernel
30s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 00:10
Behavioral task
behavioral1
Sample
2de691adb4984c996a0de98c998dc968d80244a61415da63a54744ce434fb12d.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
2de691adb4984c996a0de98c998dc968d80244a61415da63a54744ce434fb12d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsTools.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsTools.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
kuaibo.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral8
Sample
kuaibo.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Codecs/CoreAVC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
Codecs/CoreAVC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Codecs/FLVSplitter.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
Codecs/FLVSplitter.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Codecs/MP4Splitter.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
Codecs/MP4Splitter.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Codecs/MatroskaSplitter.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
Codecs/MatroskaSplitter.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Codecs/MpaSplitter.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
Codecs/MpaSplitter.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Codecs/QMVSplitterFilter.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral24
Sample
Codecs/QMVSplitterFilter.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Codecs/QmvbSplitter.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral26
Sample
Codecs/QmvbSplitter.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Codecs/QvodMpeg2Dec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Codecs/QvodMpeg2Dec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Codecs/QvodSound.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
Codecs/QvodSound.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Codecs/QvodSource.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
Codecs/QvodSource.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Codecs/QvodSound.dll
-
Size
271KB
-
MD5
c0a19162635d5380a31aea2452e1f13b
-
SHA1
6574323f45227f899318b0ec0ca21b5a3736a505
-
SHA256
9dcd076dbe2cc9dade244794b4ccfd7f131ebf84f00d020092606493bb9d5ca8
-
SHA512
21e18e25759cdee3b437d2195de79720d861469d4457920ad5186438fda867dcdd2ca1a9127b4d11c14c48b0d4121fe1fd75dab7a7d8000433ca9906ae83ff7a
-
SSDEEP
6144:CruOoH74YYhla0EUUmJuCIHAOmDj8ssssssssw6:CrO4YYhc2Sp
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\ = "SoundFilter" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Codecs\\QvodSound.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\CLSID = "{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b710100000000001000800000aa00389b71 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5}\ = "Sound Contrast Property Page" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\FriendlyName = "SoundFilter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E756F73-15A3-4ECE-98C0-D9CD2744F5A8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Codecs\\QvodSound.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89B2C28D-779F-4704-AD29-113B0977E8A5}\InprocServer32\ThreadingModel = "Both" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30 PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30 PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30 PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30 PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30 PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30 PID 2636 wrote to memory of 2408 2636 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\Codecs\QvodSound.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\Codecs\QvodSound.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2408
-