7ebb39598971797d7d00a26ea96cd5b29f2b0032e5549087fcef66ba140b4514

Analysis

max time kernel
30s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebb39598971797d7d00a26ea96cd5b29f2b0032e5549087fcef66ba140b4514.dll
Size

105KB
MD5

67719ed33951fb78185c68540afec8ac
SHA1

6ab7da3e02ca64320bdd7c7397f5a076b7b90fc2
SHA256

7ebb39598971797d7d00a26ea96cd5b29f2b0032e5549087fcef66ba140b4514
SHA512

2eff095b04f1cf245caae391bcc5bc78cb999dc150cd0adc921369c6ff15b48a577fead66532cf6e37745863813cfbde3711eda66b7390102425128f5fe5634d
SSDEEP

3072:7pb28wOVc6Tlz8dOVXn/Z/hWEmeU1V8jyO6kLXh:lSCGOVjXcs6UXh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
988	regsvr32mgr.exe

Loads dropped DLL 9 IoCs

pid	Process
1876	regsvr32.exe
1876	regsvr32.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	988	WerFault.exe	29

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\ProxyStubClsid32\ = "{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ebb39598971797d7d00a26ea96cd5b29f2b0032e5549087fcef66ba140b4514.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\ = "IImboosterPlugin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CA97EEE-C8C4-4B10-A332-10AF1FBEB534}\ = "PSFactoryBuffer"	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1876	1960	regsvr32.exe	28
PID 1876 wrote to memory of 988	1876	regsvr32.exe	29
PID 1876 wrote to memory of 988	1876	regsvr32.exe	29
PID 1876 wrote to memory of 988	1876	regsvr32.exe	29
PID 1876 wrote to memory of 988	1876	regsvr32.exe	29
PID 988 wrote to memory of 1684	988	regsvr32mgr.exe	30
PID 988 wrote to memory of 1684	988	regsvr32mgr.exe	30
PID 988 wrote to memory of 1684	988	regsvr32mgr.exe	30
PID 988 wrote to memory of 1684	988	regsvr32mgr.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7ebb39598971797d7d00a26ea96cd5b29f2b0032e5549087fcef66ba140b4514.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7ebb39598971797d7d00a26ea96cd5b29f2b0032e5549087fcef66ba140b4514.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 156
      4⤵
      Loads dropped DLL
      Program crash
      PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/1876-56-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1960-54-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download