f863402dc97c76237cc4acae7eb91d352426ea5fcd8c04e57119870a7c30de03

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 21:13

Target

f863402dc97c76237cc4acae7eb91d352426ea5fcd8c04e57119870a7c30de03.dll
Size

91KB
MD5

a0ba337d9358d1a5f9473e7963bb1b64
SHA1

25dc0e5079ed79e9041d5ade1aecaeb61a708f8b
SHA256

f863402dc97c76237cc4acae7eb91d352426ea5fcd8c04e57119870a7c30de03
SHA512

19c644aedcc7eea2f3940c22c12922c597c050b25e5fd0e0b04db4c41d1b3a66a3cfc54be3155bbf002a49398c3a99933b7064f993ab51c90c6ed458b1c591f5
SSDEEP

1536:qHxjOffpOXcUdNVc1ylUs1onI8YQRxPGXy40d2UddsVrkpNbHMnKu9zy5Vm:qHxmOs2VeHnIex6y4kLbdHbsnK73

Score

8^/10

upx

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4960-134-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4960-136-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ProgID\	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4960	5068	regsvr32.exe	83
PID 5068 wrote to memory of 4960	5068	regsvr32.exe	83
PID 5068 wrote to memory of 4960	5068	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f863402dc97c76237cc4acae7eb91d352426ea5fcd8c04e57119870a7c30de03.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\f863402dc97c76237cc4acae7eb91d352426ea5fcd8c04e57119870a7c30de03.dll
  2⤵
  - Modifies registry class
  PID:4960

memory/4960-133-0x0000000000540000-0x0000000000576000-memory.dmp

Filesize
216KB

Download
memory/4960-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-135-0x0000000000540000-0x0000000000576000-memory.dmp

Filesize
216KB

Download
memory/4960-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download