Overview
overview
8Static
static
82018051817...er.exe
windows7_x64
2018051817...er.exe
windows10_x64
GGLanguage_HTML.dll
windows7_x64
1GGLanguage_HTML.dll
windows10_x64
1atl100.dll
windows7_x64
1atl100.dll
windows10_x64
1iSignatureHTML.dll
windows7_x64
1iSignatureHTML.dll
windows10_x64
1iSignature...cx.dll
windows7_x64
1iSignature...cx.dll
windows10_x64
1msvcp100.dll
windows7_x64
3msvcp100.dll
windows10_x64
3msvcr100.dll
windows7_x64
3msvcr100.dll
windows10_x64
3CaLibraryPro.dll
windows7_x64
1CaLibraryPro.dll
windows10_x64
1GGLanguage.dll
windows7_x64
1GGLanguage.dll
windows10_x64
1GGLanguage_Pub.dll
windows7_x64
1GGLanguage_Pub.dll
windows10_x64
1GdiPlus.dll
windows7_x64
3GdiPlus.dll
windows10_x64
3GoldGridPublic.dll
windows7_x64
1GoldGridPublic.dll
windows10_x64
1KG_Crypt_API.dll
windows7_x64
1KG_Crypt_API.dll
windows10_x64
1KG_Crypt_COM_API.dll
windows7_x64
1KG_Crypt_COM_API.dll
windows10_x64
1KG_LicEnc.dll
windows7_x64
3KG_LicEnc.dll
windows10_x64
3MakeSignature.exe
windows7_x64
3MakeSignature.exe
windows10_x64
3Analysis
-
max time kernel
12s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-07-2021 09:06
Static task
static1
Behavioral task
behavioral1
Sample
20180518171910472/CAǩ��������/iSignatureǩ������/Installer.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral2
Sample
20180518171910472/CAǩ��������/iSignatureǩ������/Installer.exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral3
Sample
GGLanguage_HTML.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral4
Sample
GGLanguage_HTML.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral5
Sample
atl100.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral6
Sample
atl100.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral7
Sample
iSignatureHTML.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral8
Sample
iSignatureHTML.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral9
Sample
iSignatureHTMLAddin.ocx.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral10
Sample
iSignatureHTMLAddin.ocx.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral11
Sample
msvcp100.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral12
Sample
msvcp100.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral13
Sample
msvcr100.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral14
Sample
msvcr100.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral15
Sample
CaLibraryPro.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral16
Sample
CaLibraryPro.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral17
Sample
GGLanguage.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral18
Sample
GGLanguage.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral19
Sample
GGLanguage_Pub.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral20
Sample
GGLanguage_Pub.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral21
Sample
GdiPlus.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral22
Sample
GdiPlus.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral23
Sample
GoldGridPublic.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral24
Sample
GoldGridPublic.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral25
Sample
KG_Crypt_API.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral26
Sample
KG_Crypt_API.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral27
Sample
KG_Crypt_COM_API.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral28
Sample
KG_Crypt_COM_API.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral29
Sample
KG_LicEnc.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral30
Sample
KG_LicEnc.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral31
Sample
MakeSignature.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral32
Sample
MakeSignature.exe
Resource
win10v20210410
windows10_x64
General
-
Target
iSignatureHTML.dll
-
Size
1.2MB
-
MD5
9b672a0998c10063f2783072c5152d97
-
SHA1
a215d0bdf6f1ca4249cb1195366c71b477fa023e
-
SHA256
f5dc0bd8aac59f900c804d442bb0dfabf40a1ec9c2deb251c89cae4b7ff9cb24
-
SHA512
8e4d6630d7d0b028efaff9a901159c47abc9d4252cb34304559141a78d1bbefba6294e986dc2a12470aa6562a3b7a23c9e6dcf8463389bb95242f7a09da0b775
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML\ = "SignatureHTML Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\MiscStatus\1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BC27F895-BDEB-412A-8CFC-F46E2D66CDB9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\TypeLib\ = "{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\ = "_ISignatureHTMLEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\ = "ISignatureHTML" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML\CLSID\ = "{9DE0EBC6-AB6D-446D-8663-FACF298125B3}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\TypeLib\ = "{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BC27F895-BDEB-412A-8CFC-F46E2D66CDB9}\ = "iSignatureHTML" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iSignatureHTML.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\TypeLib\ = "{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iSignatureHTML.SignatureHTML regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\ = "_ISignatureHTMLEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\ = "ISignatureHTML" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iSignatureHTML.DLL regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A}\TypeLib\ = "{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iSignatureHTML.dll, 102" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A41F1A-8F98-44AA-B50B-AC3F2B198769}\1.0\ = "iSignatureHTML 1.0 ÀàÐÍ¿â" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\ = "SignatureHTML Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\VersionIndependentProgID\ = "iSignatureHTML.SignatureHTML" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iSignatureHTML.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9DE0EBC6-AB6D-446D-8663-FACF298125B3}\AppID = "{BC27F895-BDEB-412A-8CFC-F46E2D66CDB9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63616778-9C24-4E33-AF12-1A3F1F28EA3A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5227F860-B42F-4F4F-B4D7-A07D02E541B0} regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1972 wrote to memory of 592 1972 regsvr32.exe regsvr32.exe PID 1972 wrote to memory of 592 1972 regsvr32.exe regsvr32.exe PID 1972 wrote to memory of 592 1972 regsvr32.exe regsvr32.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/592-114-0x0000000000000000-mapping.dmp