a12bf0a3cf2e618c1f39a34ef650449b851bd6ed21ada1b3be1fb801f57db832

Analysis

max time kernel
4s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a12bf0a3cf2e618c1f39a34ef650449b851bd6ed21ada1b3be1fb801f57db832.dll
Size

144KB
MD5

0814cdc2c25c3a140f2c5d3e15eaec9d
SHA1

2ef8fea0f1cf77984d3efa70337492299e56af3e
SHA256

a12bf0a3cf2e618c1f39a34ef650449b851bd6ed21ada1b3be1fb801f57db832
SHA512

a440679703ae200ee8581866411fab21f81fb34bf068be6cc4487b188af72d9597bcbb5748b8c07a9e93a071d60e56049e9c5cba22c7c7becf94e201787725e1
SSDEEP

3072:Bs82mBOIO+j6iZL3oIy/+zJYAKyvE/vb7HDnrE8NgU:B6IO8PfemvSvb7c8uU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

1528 regsvr32mgr.exe

pid	process
1528	regsvr32mgr.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exeWerFault.exe

pid	process
1396	regsvr32.exe
1396	regsvr32.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe

Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1012 1528 WerFault.exe regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

pid	pid_target	process	target process
1012	1528	WerFault.exe	regsvr32mgr.exe

Modifies registry class 23 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStArObject.1.0.1\CLSID\ = "{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\ = "LexRefStArObject Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4B21-A1CE-E1BB11F3F3C2}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4B21-A1CE-E1BB11F3F3C2}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4B21-A1CE-E1BB11F3F3C2}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4B21-A1CE-E1BB11F3F3C2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\VersionIndependentProgID\ = "LR.LexRefStArObject.1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C89361FC-B7A8-405F-8329-DCAB7592E579}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a12bf0a3cf2e618c1f39a34ef650449b851bd6ed21ada1b3be1fb801f57db832.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStArObject.1.0\ = "LexRefStArObject Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStArObject.1.0\CLSID\ = "{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\ProgID\ = "LR.LexRefStArObject.1.0.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A12BF0~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\TypeLib\ = "{C89361FC-B7A8-405f-8329-DCAB7592E579}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C89361FC-B7A8-405F-8329-DCAB7592E579}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStArObject.1.0.1\ = "LexRefStArObject Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStArObject.1.0\CurVer\ = "LR.LexRefStArObject.1.0.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4B21-A1CE-E1BB11F3F3C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{204DB1B9-42B1-4b21-A1CE-E1BB11F3F3C2}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exe

description	pid	process	target process
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1232 wrote to memory of 1396	1232	regsvr32.exe	regsvr32.exe
PID 1396 wrote to memory of 1528	1396	regsvr32.exe	regsvr32mgr.exe
PID 1396 wrote to memory of 1528	1396	regsvr32.exe	regsvr32mgr.exe
PID 1396 wrote to memory of 1528	1396	regsvr32.exe	regsvr32mgr.exe
PID 1396 wrote to memory of 1528	1396	regsvr32.exe	regsvr32mgr.exe
PID 1528 wrote to memory of 1012	1528	regsvr32mgr.exe	WerFault.exe
PID 1528 wrote to memory of 1012	1528	regsvr32mgr.exe	WerFault.exe
PID 1528 wrote to memory of 1012	1528	regsvr32mgr.exe	WerFault.exe
PID 1528 wrote to memory of 1012	1528	regsvr32mgr.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a12bf0a3cf2e618c1f39a34ef650449b851bd6ed21ada1b3be1fb801f57db832.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a12bf0a3cf2e618c1f39a34ef650449b851bd6ed21ada1b3be1fb801f57db832.dll
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 156
4⤵
- Loads dropped DLL
- Program crash
PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/1012-62-0x0000000000000000-mapping.dmp

Download
memory/1232-54-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1396-56-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1396-55-0x0000000000000000-mapping.dmp

Download
memory/1528-59-0x0000000000000000-mapping.dmp

Download