e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644

General

Target

e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644.dll
Size

298KB
MD5

21e52a3c510f824f4bd597ffd1a569a2
SHA1

417d7e1fc6cf3c572e12879a8b312e9f49ee5ec4
SHA256

e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644
SHA512

719ca05d37d59b804e980d2b676e82959964c300c1a53ff58721c0428f114b737f2d3209585e2372ede69f7bcaae6ba6ccf98504c21fee6238915e3f3f1bc5f3
SSDEEP

6144:xNn2sEOLf8yJwkPvWrYaRWvJsqbILMs49QLaaXnEUqftjh:fnf8y7WrSlbkfGORqf/

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644.dll,1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\ = "IZWBAX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\ = "IZWBAXEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\TypeLib\ = "{89CB90A7-B038-4DF2-A293-4702526B2814}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\MiscStatus\1\ = "205201"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\TypeLib\ = "{89CB90A7-B038-4DF2-A293-4702526B2814}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZWB.ZWBAX\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Verb\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\ = "ZWBAX Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZWB.ZWBAX\Clsid\ = "{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\ = "IZWBAX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZWB.ZWBAX\ = "ZWBAX Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\TypeLib\ = "{89CB90A7-B038-4DF2-A293-4702526B2814}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Verb\0\ = "Properties,0,2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Verb	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\ = "ZWB Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\TypeLib\ = "{89CB90A7-B038-4DF2-A293-4702526B2814}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\TypeLib\ = "{89CB90A7-B038-4DF2-A293-4702526B2814}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZWB.ZWBAX	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{89CB90A7-B038-4DF2-A293-4702526B2814}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59513D53-028D-4CEC-A663-558305D9418A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F7271E8-FC59-44C1-8D65-417279ECBF9D}\ = "IZWBAXEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\ProgID\ = "ZWB.ZWBAX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97518B31-E2D2-4BFA-B06D-C5D4F0F5FDC7}\Verb\	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4872 wrote to memory of 4876	4872	regsvr32.exe	regsvr32.exe
PID 4872 wrote to memory of 4876	4872	regsvr32.exe	regsvr32.exe
PID 4872 wrote to memory of 4876	4872	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e8fc3d24d22d67b5befa8a43ce074b1d09ec7defa4d0429d0327b3e0bd478644.dll
2⤵
- Modifies registry class
PID:4876

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads