2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699.dll
Size

260KB
MD5

76d25a76d022e367e6b6cebb76ad66bd
SHA1

1f3641fa5e63bed92308128b0d095f3a9b166ce4
SHA256

2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699
SHA512

3fb9a684a2b675ae05b7b24d048e07811fc4a9422b2438c115c291a04f7f711dada535f90b3cf53a01100c5ce1f3a6f67a8f7b5b681fa18e49af691b431404ec
SSDEEP

3072:e/Vki5sQYif7L90zL/GRt0+VvDz9ew289gNYV/NHZA:6N/izr+vfUw28x

Score

1^/10

Malware Config

Signatures

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\ = "AFAC_RTALIBRO_LIB.AFAC_RTALIBRO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\TypeLib\ = "{1608ADB1-3E72-45A6-AB10-70425452F75A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ = "_AFAC_RTALIBRO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\TypeLib\ = "{1608ADB1-3E72-45A6-AB10-70425452F75A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AFAC_RTALIBRO_LIB.AFAC_RTALIBRO\ = "AFAC_RTALIBRO_LIB.AFAC_RTALIBRO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\ProgID\ = "AFAC_RTALIBRO_LIB.AFAC_RTALIBRO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ = "AFAC_RTALIBRO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AFAC_RTALIBRO_LIB.AFAC_RTALIBRO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AFAC_RTALIBRO_LIB.AFAC_RTALIBRO\Clsid\ = "{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\TypeLib\ = "{1608ADB1-3E72-45A6-AB10-70425452F75A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AFAC_RTALIBRO_LIB.AFAC_RTALIBRO\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D04FB36F-CB74-4C60-AAEC-0E87D4E0F093}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\ = "FACTURA ELECTRONICA - SII - ( SQL ) - Respuesta Libros"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{1608ADB1-3E72-45A6-AB10-70425452F75A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ = "_AFAC_RTALIBRO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BF807AA-F29E-4EA0-8CAB-76E5B5993488}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 632	908	regsvr32.exe	27
PID 908 wrote to memory of 632	908	regsvr32.exe	27
PID 908 wrote to memory of 632	908	regsvr32.exe	27
PID 908 wrote to memory of 632	908	regsvr32.exe	27
PID 908 wrote to memory of 632	908	regsvr32.exe	27
PID 908 wrote to memory of 632	908	regsvr32.exe	27
PID 908 wrote to memory of 632	908	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2ebe686bc9081327c4f3265c4934920816bb37c568990e6fa2ed7ee4cd820699.dll
  2⤵
  - Modifies registry class
  PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/908-54-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads