36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640

Analysis

max time kernel
165s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Size

96KB
MD5

5ebdd44c69ecb1fe97db60d1dc3d1fa0
SHA1

d14c6250be59c268d556ae7e0f48806c701683b9
SHA256

36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640
SHA512

9c92de66a9e79b9d315b298ff57db1dfedccf54c7baf7062508034ff913a64f7f57d00b769f662a9bb45eedd6d5f983c16bc006f486cf4c4d3c29b9f055ef58f
SSDEEP

1536:KwqKEpPbXFeHlcAIz1YIa/17Oni1x4J4gkND3WdQ:xsJeH0zAVHS4VND3a

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4336 set thread context of 1340	4336	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	1340	WerFault.exe	82

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\0\win32	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\ = "ProvideX OLE Server"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\TypeLib	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\ = "IPvxDispatch"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\APPID\{60503AB4-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\ = "IScript"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\TypeLib\Version = "1.0"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\ProgID\ = "ProvideX.Script"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\TypeLib\Version = "1.0"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\TypeLib	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\FLAGS	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\ = "IScript"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\TypeLib	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\TypeLib	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\TypeLib\Version = "1.0"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\TypeLib	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\TypeLib\Version = "1.0"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{60503AB4-2D27-11D6-B249-00C04F50D575}\ = "ProvideX OLE Server"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\FLAGS\ = "0"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\ProgID	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProvideX.Script	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\Version\ = "1.0"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\TypeLib\ = "{60503AB1-2D27-11D6-B249-00C04F50D575}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\TypeLib\ = "{60503AB1-2D27-11D6-B249-00C04F50D575}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\ = "ProvideX OLE Server Library"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProvideX.Script\Clsid\ = "{60503AB4-2D27-11D6-B249-00C04F50D575}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}\TypeLib\ = "{60503AB1-2D27-11D6-B249-00C04F50D575}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\TypeLib\ = "{60503AB1-2D27-11D6-B249-00C04F50D575}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}\ = "IPvxDispatch"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ProvideX.Script\Clsid	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\0	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60503AB2-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60503AB8-2D27-11D6-B249-00C04F50D575}	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\LocalServer32	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ProvideX.Script\ = "ProvideX OLE Server"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\Version	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{60503AB4-2D27-11D6-B249-00C04F50D575}\TypeLib\ = "{60503AB1-2D27-11D6-B249-00C04F50D575}"	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60503AB1-2D27-11D6-B249-00C04F50D575}\1.0\HELPDIR	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1340	4336	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe	82
PID 4336 wrote to memory of 1340	4336	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe	82
PID 4336 wrote to memory of 1340	4336	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe	82
PID 4336 wrote to memory of 1340	4336	36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe	82

C:\Users\Admin\AppData\Local\Temp\36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
"C:\Users\Admin\AppData\Local\Temp\36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe
  "C:\Users\Admin\AppData\Local\Temp\36c2a39005b0117ddb54aa7e95704ff28bb770035f2278fa84001916c6660640.exe"
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 440
    3⤵
    - Program crash
    PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 1340
1⤵
PID:2328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-132-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads