e6467e08daa33d502c872025e2cb3814c6821ee109b28d114c8424146a121f13

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 20:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6467e08daa33d502c872025e2cb3814c6821ee109b28d114c8424146a121f13.dll
Size

122KB
MD5

0f19ac0198f333ec81e5ec73e7a57b30
SHA1

72d3b9a6741f951ce6b323bcdb58880bae4515ab
SHA256

e6467e08daa33d502c872025e2cb3814c6821ee109b28d114c8424146a121f13
SHA512

62d2745ae7af6c20bb84cac0ac19459ac985e97345ffa3fdc5e82afc2a30187a3a006820d25aebba74b3e79a5b5344146b64b1f1ecd0bce465986d2bc3efd1ab
SSDEEP

1536:yAg9QUO+3uf1p3OT96cDRNxYg3sloBEZjC5mjM28ovLQ86t:i6+3qOp6ctNxqlBZjPjM2LzQ86t

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	regsvr32mgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	regsvr32.exe
1048	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\ = "IEDID"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\ = "IScheme"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6467e08daa33d502c872025e2cb3814c6821ee109b28d114c8424146a121f13.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\NumMethods\ = "12"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\NumMethods\ = "19"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\ = "IOverlay"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\NumMethods\ = "9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\ = "ISettings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\ = "IDisplayConfig"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5393CA5-EF8F-49E0-B180-212C903C652C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\ = "IRotation"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC61FD6D-FB60-4ABC-BF2E-4DF75C90C601}\NumMethods\ = "21"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\ = "ICUIPower"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\ = "IMCCS"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72DC5954-069D-43C4-9B8B-19B59269DC74}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25824158-68E7-4A6F-A2FD-F6AD1D6845D4}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299D88F9-2CBD-4225-BF19-FCD164C54C3F}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\NumMethods\ = "31"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D80D344A-0CCD-4B2F-B379-56DE3EC2C4D1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{965FD393-C149-45F1-863C-402C4E2E38C5}\ = "IOpenGL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\ProxyStubClsid32\ = "{DDA11344-AB20-4AEC-94C4-6AA091574CD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{916FEC45-8FAB-460F-9BD1-325055E3DEC9}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63CDDDB9-A85B-411E-AA78-101B3BC17261}\ = "IColor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7C4F4C9-EE21-4042-9C11-BEA5E039B1F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDA11344-AB20-4AEC-94C4-6AA091574CD0}\ = "ITVParam"	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 2012 wrote to memory of 1048	2012	regsvr32.exe	27
PID 1048 wrote to memory of 2028	1048	regsvr32.exe	28
PID 1048 wrote to memory of 2028	1048	regsvr32.exe	28
PID 1048 wrote to memory of 2028	1048	regsvr32.exe	28
PID 1048 wrote to memory of 2028	1048	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e6467e08daa33d502c872025e2cb3814c6821ee109b28d114c8424146a121f13.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e6467e08daa33d502c872025e2cb3814c6821ee109b28d114c8424146a121f13.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
73KB

MD5
9df5f7fb921486c04781cad71d7db727

SHA1
9ed18300776a2397e586073a95e7e992f031a25a

SHA256
eed3c298db97d168df30af01e8da55b325eace743a954950ce4cd83412593b0f

SHA512
1267c2062ad742a446da93919df01af07b2e53b678f9e74511e174ac8f1a2e19b70651ecc16a913402d298e4b65a08d1f41316c55d8f0a9fb38010b268a5be2d

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
73KB

MD5
9df5f7fb921486c04781cad71d7db727

SHA1
9ed18300776a2397e586073a95e7e992f031a25a

SHA256
eed3c298db97d168df30af01e8da55b325eace743a954950ce4cd83412593b0f

SHA512
1267c2062ad742a446da93919df01af07b2e53b678f9e74511e174ac8f1a2e19b70651ecc16a913402d298e4b65a08d1f41316c55d8f0a9fb38010b268a5be2d

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
73KB

MD5
9df5f7fb921486c04781cad71d7db727

SHA1
9ed18300776a2397e586073a95e7e992f031a25a

SHA256
eed3c298db97d168df30af01e8da55b325eace743a954950ce4cd83412593b0f

SHA512
1267c2062ad742a446da93919df01af07b2e53b678f9e74511e174ac8f1a2e19b70651ecc16a913402d298e4b65a08d1f41316c55d8f0a9fb38010b268a5be2d

Download Submit
memory/1048-56-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2012-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads