75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b

Analysis

max time kernel
32s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b.dll
Size

164KB
MD5

79d13087687b7fc5487a03d5250fd9b0
SHA1

904711066a458106b77040b2692a72eab5f253ea
SHA256

75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b
SHA512

02f22047f0022f5e050f3d9bb2c86f7436330d4c11c270d46664415539d78d5ae53687e78b8992ea71726de2d6f4463cbbf6ff527c316e8ed6ff943e3887b138
SSDEEP

3072:TLgej89OAtFdz2LXXVoeA77mTZk4ibHWdJx3ok:TE9OAtHqTVor7m+hbCxYk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1868	regsvr32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
696	regsvr32.exe
696	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{10273E06-98BB-4151-92A9-9C4AD224DD3E}\ = "CVaio"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CVaio.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CVaio.DLL\AppID = "{10273E06-98BB-4151-92A9-9C4AD224DD3E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\AppID = "{10273E06-98BB-4151-92A9-9C4AD224DD3E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\ = "CVaio 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\TypeLib\ = "{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory.1\ = "ShellItemImageFactory Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\VersionIndependentProgID\ = "CVaio.ShellItemImageFactory"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory\ = "ShellItemImageFactory Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\ = "ShellItemImageFactory Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{10273E06-98BB-4151-92A9-9C4AD224DD3E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory\CLSID\ = "{DD830B23-91C4-46FB-8039-287269FD98F8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory.1\CLSID\ = "{DD830B23-91C4-46FB-8039-287269FD98F8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CVaio.ShellItemImageFactory\CurVer\ = "CVaio.ShellItemImageFactory.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD830B23-91C4-46FB-8039-287269FD98F8}\ProgID\ = "CVaio.ShellItemImageFactory.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47ED5A4A-76C1-4F50-ACE0-F75E5765341F}\1.0\0	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1868	regsvr32mgr.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe
1868	regsvr32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	regsvr32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 1516 wrote to memory of 696	1516	regsvr32.exe	27
PID 696 wrote to memory of 1868	696	regsvr32.exe	28
PID 696 wrote to memory of 1868	696	regsvr32.exe	28
PID 696 wrote to memory of 1868	696	regsvr32.exe	28
PID 696 wrote to memory of 1868	696	regsvr32.exe	28
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 372	1868	regsvr32mgr.exe	5
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 380	1868	regsvr32mgr.exe	4
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 420	1868	regsvr32mgr.exe	3
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 464	1868	regsvr32mgr.exe	2
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 480	1868	regsvr32mgr.exe	1
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 488	1868	regsvr32mgr.exe	24
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 588	1868	regsvr32mgr.exe	7
PID 1868 wrote to memory of 668	1868	regsvr32mgr.exe	23
PID 1868 wrote to memory of 668	1868	regsvr32mgr.exe	23
PID 1868 wrote to memory of 668	1868	regsvr32mgr.exe	23
PID 1868 wrote to memory of 668	1868	regsvr32mgr.exe	23

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:308
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1236
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2028
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:292
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\75d628e3ae278fb8a4007ec86853894f44558141c0f55f3649e47692c9e1e72b.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1868

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
139KB

MD5
6fa776906e04fd7f927ed4676d76b48b

SHA1
4a1eebc9fefcfb4b8ae3e537daf1904e832523b7

SHA256
1c9847b9d4e17bdc077732290fe941c62defd66d9b67f070e0a1f470d1802176

SHA512
1540763d215f5e64b24f911ee281dc3ba73fa42646e5e9b6c85ad593ae70ce57f71f566f45188c15bfb52f2d9ac46a010acd39a87078a5fb0b487d482aad83f6

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
139KB

MD5
6fa776906e04fd7f927ed4676d76b48b

SHA1
4a1eebc9fefcfb4b8ae3e537daf1904e832523b7

SHA256
1c9847b9d4e17bdc077732290fe941c62defd66d9b67f070e0a1f470d1802176

SHA512
1540763d215f5e64b24f911ee281dc3ba73fa42646e5e9b6c85ad593ae70ce57f71f566f45188c15bfb52f2d9ac46a010acd39a87078a5fb0b487d482aad83f6

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
139KB

MD5
6fa776906e04fd7f927ed4676d76b48b

SHA1
4a1eebc9fefcfb4b8ae3e537daf1904e832523b7

SHA256
1c9847b9d4e17bdc077732290fe941c62defd66d9b67f070e0a1f470d1802176

SHA512
1540763d215f5e64b24f911ee281dc3ba73fa42646e5e9b6c85ad593ae70ce57f71f566f45188c15bfb52f2d9ac46a010acd39a87078a5fb0b487d482aad83f6

Download Submit
memory/696-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/696-57-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/696-63-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1516-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1868-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download