1bf3e57eed6f5089a76a2de808882c7d074211612de58993d89eef16592e545e

Analysis

max time kernel
150s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 13:03

Target

1bf3e57eed6f5089a76a2de808882c7d074211612de58993d89eef16592e545e.dll
Size

330KB
MD5

0766cd6a9751212403bfa760d1e2297c
SHA1

2fdd86ee46bd86c939c8be61dbb609d00265a2b3
SHA256

1bf3e57eed6f5089a76a2de808882c7d074211612de58993d89eef16592e545e
SHA512

24e0e4bc65c3e74ad3f3aab53376011028c6bece49f7736a98bc9e16319561d61bf16b41b262191a8400f3c926e53fd83f4b4125847e2e1cbb06a9e81fc136d4
SSDEEP

6144:gN0yr1sO/wIKS0FKtOT/OrDtgUi0uvQee7Qee/0QeesQeeglQeekQeeDC1MnBYGf:wG6wndYtamDSUHImVY6vpy

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3052	regsvr32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3124	3052	WerFault.exe	81

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58F1580-0DF3-401C-93B1-2D9DDA61CF04}\1.0	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4088	2652	regsvr32.exe	80
PID 2652 wrote to memory of 4088	2652	regsvr32.exe	80
PID 2652 wrote to memory of 4088	2652	regsvr32.exe	80
PID 4088 wrote to memory of 3052	4088	regsvr32.exe	81
PID 4088 wrote to memory of 3052	4088	regsvr32.exe	81
PID 4088 wrote to memory of 3052	4088	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1bf3e57eed6f5089a76a2de808882c7d074211612de58993d89eef16592e545e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1bf3e57eed6f5089a76a2de808882c7d074211612de58993d89eef16592e545e.dll
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:3052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 448
      4⤵
      Program crash
      PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3052 -ip 3052
1⤵
PID:4304

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
memory/3052-133-0x0000000000000000-mapping.dmp

Download
memory/3052-136-0x000000000042A000-0x0000000000433000-memory.dmp

Filesize
36KB

Download
memory/3052-137-0x0000000000400000-0x0000000000432228-memory.dmp

Filesize
200KB

Download
memory/4088-132-0x0000000000000000-mapping.dmp

Download
memory/4088-135-0x0000000074B20000-0x0000000074B75000-memory.dmp

Filesize
340KB

Download