Analysis
-
max time kernel
133s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c.dll
Resource
win10v2004-20240419-en
General
-
Target
e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c.dll
-
Size
300KB
-
MD5
bbfbae75f55a3e97b91cc3ca0f877677
-
SHA1
897890e3a3fdcbf74d30c82dafadaf72795dc32c
-
SHA256
e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c
-
SHA512
cbb7515211bb185ef800cbf05f72eebf619103189e7f6ecba71b5c7ba6431630a6b60dc17c3e4da72c935c7b33374d265ed42c0fa79ae3bc799815f88766fc30
-
SSDEEP
6144:gTYZcLgO8AMegz2wt0ZwUtQo8HEpvvI8vw+/72l96RLh9oh/qU7kvy5:gUZcLgOoe5gety6vvIbgLLokUSy5
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c.dll" regsvr32.exe -
Modifies registry class 36 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\ = "IMyShellExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\TantoWifiticality regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\ = "MyShellExtLib" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\ = "CTantoWifiticality Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\TantoWifiticality\ = "{AF44BCB9-2B14-45D4-A240-718921948B79}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e73f801a92dfc3fcb78fa31ea7fd77682d822cd88036d29c0fb76dad7ac43a5c.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\TypeLib\ = "{14005211-2A79-4772-A715-F6558026FE8A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14005211-2A79-4772-A715-F6558026FE8A}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\ = "IMyShellExt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\TypeLib\ = "{14005211-2A79-4772-A715-F6558026FE8A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\TypeLib\ = "{14005211-2A79-4772-A715-F6558026FE8A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF44BCB9-2B14-45D4-A240-718921948B79}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{894D5659-161A-4CBB-A15A-0974EF906A01}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe