22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730

General

Target

22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll
Size

918KB
MD5

67986ec074b86590e110a76480f7da99
SHA1

9fa5de1cf562c6ba3ac546be97c1ae81c121575e
SHA256

22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730
SHA512

84d45fe5a1df49cde7d2840acf1cc6db34a1b52cef13bd8db5b4945e3c6c239ab1e4c62fc3a87ee8466c12909b9630889d6c7e8ed3a5e957826f37a91f5bba14

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3976 4028 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
3976	4028	WerFault.exe	regsvr32.exe

Modifies registry class 48 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF3D9C23-AB4E-11D0-A732-00A0C9082637}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC680B41-CDA0-11D1-A936-0080C7C575C0}\ = "Module Manager for Java"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSJava\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EFB1800-C2A1-11CF-960C-0080C7C2BA87}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EFB1800-C2A1-11CF-960C-0080C7C2BA87}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EFB1800-C2A1-11CF-960C-0080C7C2BA87}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\java\CLSID\ = "{DB57B100-853B-11D0-AF95-0080C71F7993}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2073C44-AB4F-11D0-A732-00A0C9082637}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EFB1800-C2A1-11CF-960C-0080C7C2BA87}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF3D9C23-AB4E-11D0-A732-00A0C9082637}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSJava\ = "Web Browser Applet Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ProgID\ = "MSJava"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{004CE610-CCD1-11D0-A9BA-00A0C908DB5E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ = "Web Browser Applet Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2073C44-AB4F-11D0-A732-00A0C9082637}\ = "Java Package Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{004CE610-CCD1-11D0-A9BA-00A0C908DB5E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC680B41-CDA0-11D1-A936-0080C7C575C0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC680B41-CDA0-11D1-A936-0080C7C575C0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF3D9C23-AB4E-11D0-A732-00A0C9082637}\ = "Code Store Database Manager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2073C44-AB4F-11D0-A732-00A0C9082637}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{004CE610-CCD1-11D0-A9BA-00A0C908DB5E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC680B41-CDA0-11D1-A936-0080C7C575C0}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{004CE610-CCD1-11D0-A9BA-00A0C908DB5E}\ = "Configuration Object for Java"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{004CE610-CCD1-11D0-A9BA-00A0C908DB5E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSJava	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\java\ = "java:"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF3D9C23-AB4E-11D0-A732-00A0C9082637}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2073C44-AB4F-11D0-A732-00A0C9082637}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC680B41-CDA0-11D1-A936-0080C7C575C0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EFB1800-C2A1-11CF-960C-0080C7C2BA87}\ = "Execute Object for Java"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\java	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\java\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}\ = "java:"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}\ProgID\ = "java"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D2073C44-AB4F-11D0-A732-00A0C9082637}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSJava\CLSID\ = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB57B100-853B-11D0-AF95-0080C71F7993}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF3D9C23-AB4E-11D0-A732-00A0C9082637}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4248 wrote to memory of 4028	4248	regsvr32.exe	regsvr32.exe
PID 4248 wrote to memory of 4028	4248	regsvr32.exe	regsvr32.exe
PID 4248 wrote to memory of 4028	4248	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\22ddae497eee9808282718a0137787d7d5da471ec8b259c40f4cbc8545d5d730.dll
2⤵
- Modifies registry class
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 640
3⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4028 -ip 4028
1⤵
PID:2116

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads