e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39.dll
Size

475KB
MD5

f278803aa8bda4329239d058062fb425
SHA1

11d6934d2bdec4b349d99868ca1aac2da8a161d6
SHA256

e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39
SHA512

7f85293fa60565fa9dfa5e9e4485b21a1f187a408be0a7129008a29e689fec8dd340ffbabc08f0b8b5e260b0f6707d383a789e161e479e81e1426764c786c9f6
SSDEEP

6144:LbURCVck7fLGdHtQ9hPuvDJQNmj066mj3qYts+fPpLcHwsmrOhMwI7aM+TMppoHI:n2C/LNu6mp53tW+fIwsmrWMwCaM+I

Score

1^/10

Malware Config

Signatures

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch.1\ = "CBNWNetSearch Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\KSNetEngine.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\ProgID\ = "KSNetEngine.CBNWNetSearch.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\VersionIndependentProgID\ = "KSNetEngine.CBNWNetSearch"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\TypeLib\ = "{AB814D1C-A799-4C55-BBEA-92BE3CC61595}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\TypeLib\ = "{AB814D1C-A799-4C55-BBEA-92BE3CC61595}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\TypeLib\ = "{AB814D1C-A799-4C55-BBEA-92BE3CC61595}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\KSNetEngine.DLL\AppID = "{EBDC3E18-23C6-48AC-8430-38242C1E3607}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EBDC3E18-23C6-48AC-8430-38242C1E3607}\ = "KSNetEngine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\AppID = "{EBDC3E18-23C6-48AC-8430-38242C1E3607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch\CLSID\ = "{5DA1A305-8193-4b9b-8EF7-09615856B4AE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\ = "ICNWNetSearch"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\ = "ICNWNetSearch"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EBDC3E18-23C6-48AC-8430-38242C1E3607}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch\CurVer\ = "KSNetEngine.CBNWNetSearch.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\ = "CBNWNetSearch Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch.1\CLSID\ = "{5DA1A305-8193-4b9b-8EF7-09615856B4AE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DA1A305-8193-4b9b-8EF7-09615856B4AE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\ = "KSNetEngine 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB814D1C-A799-4C55-BBEA-92BE3CC61595}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{590F36EA-33D2-48F1-89DA-14F785AE8E1B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KSNetEngine.CBNWNetSearch\ = "CBNWNetSearch Class"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 5104	4188	regsvr32.exe	81
PID 4188 wrote to memory of 5104	4188	regsvr32.exe	81
PID 4188 wrote to memory of 5104	4188	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\e495aed8d37e06ce6b7b1962ddfe5ddbfd1c5ca31f73b12997014d5beaa70f39.dll
  2⤵
  - Modifies registry class
  PID:5104

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads