b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37

Analysis

max time kernel
131s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2022, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37.dll
Size

452KB
MD5

2954e2a662e7b8abaccb530f8bf3512c
SHA1

0ef9eeec288e16cff4f6b5d964a4a31e5b6040d3
SHA256

b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37
SHA512

d1a5eb06a83262d6eaeb0ef180138e13c19dde990d87d322470ae2c630b2ef3a3233a1a59548f2fd83dca818dd356f7b23c15c378739e6f9162dc21e5eeb275e
SSDEEP

6144:cCNZXrsfqB7V9v23kYRCXeS/NdqvSYeMCoRil+f:cGrsfq1fvyRCOSqSYfRs

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\TypeLib\Version = "12f.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\TypeLib\Version = "12f.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\ = "__rfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968B871F-7A44-488A-AF20-0F450BCB8772}\ProgID\ = "fcfr.rfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\ = "hup"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.rfo	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968B871F-7A44-488A-AF20-0F450BCB8772}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.rfo\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.rfo\Clsid\ = "{968B871F-7A44-488A-AF20-0F450BCB8772}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.hup\ = "fcfr.hup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\ = "_rfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968B871F-7A44-488A-AF20-0F450BCB8772}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.rfo\ = "fcfr.rfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.hup\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\ = "fcfr.hup"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fcfr.hup	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1568B4B1-FC9F-4AB6-BCC6-53CB2581A5B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968B871F-7A44-488A-AF20-0F450BCB8772}\ = "fcfr.rfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{968B871F-7A44-488A-AF20-0F450BCB8772}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\12f.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\TypeLib\Version = "12f.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}\TypeLib\Version = "12f.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{43952997-8819-423C-A4FF-1DC234D513B4}\ = "__rfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57DFDA4B-94AB-4566-920D-1631B2F6991D}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CF114AC-6A9D-458C-AF5E-27935AEF6224}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4064	4364	regsvr32.exe	78
PID 4364 wrote to memory of 4064	4364	regsvr32.exe	78
PID 4364 wrote to memory of 4064	4364	regsvr32.exe	78

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b4df58a183807ded6fe63c6a0c751be7cd4cc102a089e2ce1aebd9b72a3f1b37.dll
  2⤵
  - Modifies registry class
  PID:4064

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads