5263af4be4f2250238b25131da6444ba1b6c6ec611833f868c10c14c90350300

General

Target

ͻ/sydt.dll
Size

284KB
MD5

666acb3df5d04ce0419cdd9c5ebdc631
SHA1

241777232ddf807d585c529e1a800d28a83982fb
SHA256

2dc60ed0879bded846abaef9d4ae9b98cc46018e191741c9bca356cd327dec7d
SHA512

4a25f3a35c5d216e1aeba8019576560e27c82c1b6be551214014587097397f7c3bdb4b3cc17b7a2875bd9f0c128441fd1a228a34f923690366508161670ee732
SSDEEP

6144:TD+mEXGo5bTcEk7JX7hI0gXmQ/6+3MydtJ:n4Go58Ek7p7xQmGJ

Score

1^/10

Malware Config

Signatures

Modifies registry class 46 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\uefbfͻ\uefa7\uefbb\ueffa\\sydt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt\CurVer\ = "sy.dt.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\uefbfͻ\uefa7\uefbb\ueffa"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt\CLSID\ = "{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ = "Isydtdll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\uefbfͻ\uefa7\uefbb\ueffa\\sydt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt.1\CLSID\ = "{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt\ = "sydtdll Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt.1\ = "sydtdll Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\ = "sydtdll Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\TypeLib\ = "{74F1DF58-11CD-458C-A149-2761D9FAA6CA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\ = "sydt 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\ProgID\ = "sy.dt.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib\ = "{74F1DF58-11CD-458C-A149-2761D9FAA6CA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib\ = "{74F1DF58-11CD-458C-A149-2761D9FAA6CA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ = "Isydtdll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\VersionIndependentProgID\ = "sy.dt"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 380 wrote to memory of 620	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 620	380	regsvr32.exe	regsvr32.exe
PID 380 wrote to memory of 620	380	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ͻ\sydt.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ͻ\sydt.dll
  2⤵
  - Modifies registry class
  PID:620

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads