d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91

General

Target

d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91.dll
Size

115KB
MD5

d827412fc2d9c7bdc190a457206270ae
SHA1

14045b78fb848532b677bf8114c8107d21c28fa8
SHA256

d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91
SHA512

975214f4c09295f09f3fc902fafec05d8179beccb44027851fb14177b350b65a02ba42f5f955b417e24b2bab0770070c3d6ba7254128d7eb3d1cae45c58cf266
SSDEEP

3072:o/jTv/fmKGte1zKjNv0+3hxW1LfqFBt1bURl/iu9pXKnfrD:QTv/fmKGtekO+3Tt1b2394D

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAdodcLib.Adodc.6\CLSID\ = "{67397AA3-7FB1-11D0-B148-00A0C922E820}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91.dll, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA2073E6-7B9C-11D0-B143-00A0C922E820}\ = "Adodc General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67397AA1-7FB1-11D0-B148-00A0C922E820}\6.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ = "IAdodc"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAdodcLib.Adodc\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\TypeLib\ = "{67397AA1-7FB1-11D0-B148-00A0C922E820}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB1-7406-11D1-B18C-00A0C922E820}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\TypeLib\Version = "6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAdodcLib.Adodc	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAdodcLib.Adodc\CurVer\ = "MSAdodcLib.Adodc.6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\TypeLib\ = "{67397AA1-7FB1-11D0-B148-00A0C922E820}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB2-7406-11D1-B18C-00A0C922E820}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67397AA1-7FB1-11D0-B148-00A0C922E820}\6.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\TypeLib\ = "{67397AA1-7FB1-11D0-B148-00A0C922E820}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB1-7406-11D1-B18C-00A0C922E820}\ = "Adodc Authentication Property Page Object"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA2073E6-7B9C-11D0-B143-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB1-7406-11D1-B18C-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB1-7406-11D1-B18C-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB1-7406-11D1-B18C-00A0C922E820}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB2-7406-11D1-B18C-00A0C922E820}\ = "Adodc RecordSource Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\ = "Microsoft ADO Data Control, version 6.0 (OLEDB)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67397AA1-7FB1-11D0-B148-00A0C922E820}\6.0\ = "Microsoft ADO Data Control 6.0 (OLEDB)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67397AA1-7FB1-11D0-B148-00A0C922E820}\6.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\TypeLib\ = "{67397AA1-7FB1-11D0-B148-00A0C922E820}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB2-7406-11D1-B18C-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67397AA1-7FB1-11D0-B148-00A0C922E820}\6.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67397AA1-7FB1-11D0-B148-00A0C922E820}\6.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}\ = "IAdodc"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47A738F1-7FAF-11D0-B148-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAdodcLib.Adodc\ = "Microsoft ADO Data Control, version 6.0 (OLEDB)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSAdodcLib.Adodc\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA2073E6-7B9C-11D0-B143-00A0C922E820}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA2073E6-7B9C-11D0-B143-00A0C922E820}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F8FFB2-7406-11D1-B18C-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67397AA3-7FB1-11D0-B148-00A0C922E820}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67397AA2-7FB1-11D0-B148-00A0C922E820}\ = "DAdodcEvents"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 608	1280	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91.dll
2⤵
- Modifies registry class
PID:608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-55-0x0000000000000000-mapping.dmp

Download
memory/608-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads