6e054712132fbc18a0c36bd8042c28b7e631f6e06e77e77c4e537d6b9c3182da

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 23:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DATA/JJM.dll
Size

353KB
MD5

552ca52a22fbc59edd5a080996812579
SHA1

c43fdd6d07c8c12c34a251ef0f1055cf2be3d022
SHA256

44878c579ce6e4fdab7f31887db8c925720b607c021a63846050eeb63c98cfbf
SHA512

0c9602c87e24bfbb4e99a06ef083015295a05f7676ae9d45a490d6ff5875b3f9b2823a10db30fc684c314c54003bd14df585697110d0c103b7f0ebea58e37cd6
SSDEEP

6144:tzinkKaqgU9yv5/6qAI0nJKo88/Z3HnLhCIhVvU:RinkUn9yv5/6hI0JLFZ3nP

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}\TypeLib\Version = "4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}\4.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DATA\\JJM.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AED3A6B1-2171-11D2-B77C-0008C73ACA8F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56930358-AD72-408F-83C4-A2B0DC8037B2}\ = "IRecipients"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23E86816-772B-4B28-A924-A135CFF6469A}\TypeLib\Version = "4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}\TypeLib\Version = "4.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jmail.SpeedMailer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DATA\\JJM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65C53BE7-ED21-4C25-B189-DA0E8FAD5231}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jmail.MailMerge\Clsid\ = "{0D821067-FCF9-4704-9287-0D8F76FE6513}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{607A06FE-2FDA-4ADC-854D-D016D98D83DB}\TypeLib\Version = "4.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{952F0B99-50B6-44B3-AE0D-700D5B98B416}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14E61A41-8846-11D2-B7E4-0008C73ACA8F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}\ = "IPGPKeyInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jmail.Recipient\Clsid\ = "{DBAAEA4B-AD29-47BD-8776-C787D5BE28AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AED3A6B3-2171-11D2-B77C-0008C73ACA8F}\ = "SMTPMail Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF9EA1F-BBCA-4E19-87A4-2E26C22F1D26}\ProgID\ = "jmail.PGPKeys"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C21B3B1-2B11-45F2-8A9E-DCC5032DE98A}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3F1977-CD10-41B2-9977-7693A4C13377}\ProgID\ = "jmail.PGPDecodeResults"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81CA5571-C109-47AE-BE1C-2DF9CB8999FF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{952F0B99-50B6-44B3-AE0D-700D5B98B416}\ = "IAttachment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41DBA1FA-44F6-4BD5-82DF-1A7FDEA0475D}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jmail.Message	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jmail.PGPKeyInfo\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}\TypeLib\Version = "4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37F2DDBD-5CD9-4CDF-9B30-2A904246C112}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D821067-FCF9-4704-9287-0D8F76FE6513}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B89D0E7A-0F5B-40EE-8AF3-08FA2ED9534F}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F812B147-0E26-4222-8EE4-9F753CD2B39C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DATA\\JJM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B10BF17C-F7EC-4EE2-AD7A-6F42816AEC0F}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B1CC9084-0177-4136-9B1B-C06C061F1E1D}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37F2DDBD-5CD9-4CDF-9B30-2A904246C112}\ = "PGPKeyInfo Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B9999C-DAD2-4353-B25B-8CCAFFCA4D16}\TypeLib\Version = "4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53DECA78-C334-4235-9165-1FE7D8912A76}\ = "Attachment Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3F1977-CD10-41B2-9977-7693A4C13377}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DATA\\JJM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AED3A6B1-2171-11D2-B77C-0008C73ACA8F}\TypeLib\Version = "4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}\ = "ISpeedMailer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53DECA78-C334-4235-9165-1FE7D8912A76}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}\Version\ = "4.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3F1977-CD10-41B2-9977-7693A4C13377}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{684130B2-2B8A-4E8D-BE71-8F4052882076}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56930358-AD72-408F-83C4-A2B0DC8037B2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65C53BE7-ED21-4C25-B189-DA0E8FAD5231}\TypeLib\Version = "4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E6D8684-755D-4847-BF40-68EC5E4BC1E9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E61A41-8846-11D2-B7E4-0008C73ACA8F}\TypeLib\ = "{AED3A6B0-2171-11D2-B77C-0008C73ACA8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A037057-57F0-4904-A1E0-AD0EA2FB564E}\ = "IMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3A0ACB9-3D8C-4999-9E6B-3E44372E11DD}\ = "Attachments Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A62C8BDB-D1FC-4FDD-A2A2-EEFF73262A41}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2ED965-E0BA-4FE4-ADE2-38BD48F112E8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{821AAFE5-2F19-47EB-ACA9-3B4C1D64AC27}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90D0A753-AD45-40FD-8C6E-555600EE5EB4}\ = "SpeedMailer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jmail.Headers\ = "Headers Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23E86816-772B-4B28-A924-A135CFF6469A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AED3A6B3-2171-11D2-B77C-0008C73ACA8F}\Version\ = "4.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53DECA78-C334-4235-9165-1FE7D8912A76}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1556	1816	regsvr32.exe	83
PID 1816 wrote to memory of 1556	1816	regsvr32.exe	83
PID 1816 wrote to memory of 1556	1816	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DATA\JJM.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\DATA\JJM.dll
  2⤵
  - Modifies registry class
  PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-134-0x00000000009C0000-0x0000000000A1E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads