f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 03:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705.dll
Size

75KB
MD5

203ae715b4fccdeff2d4a992728c3900
SHA1

5027d73672bbf482ce5fa8b5c7dda5ca4f54f940
SHA256

f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705
SHA512

3d3ec6f7b99c12e9c1cc2a14ab1a6a9be095dbe4c468648cc9784287f6c53c3a8b7e9099daa9e392aba60a401aec21b0c709bb9d4fdbab66e319d1b95d5d9307
SSDEEP

1536:IcsE2Z4WvwoZiSM2UyyZCDMuDqObVG15+Ntavj7QCDgg:YE2KawoZiNNlZ05DqObSANQL7VDx

Score

1^/10

Malware Config

Signatures

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\ProgID\ = "Tazebama.TazebamaHook.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\ = "tazebama 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ = "ITazebamaHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CLSID\ = "{79806449-AB35-42EC-9BE9-B390209CE514}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CurVer\ = "Tazebama.TazebamaHook.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\TypeLib\ = "{7B154753-C2FF-45C9-974E-98E4D3914D9C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\TazebamaHook	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\ = "TazebamaHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\VersionIndependentProgID\ = "Tazebama.TazebamaHook"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\ = "{7B154753-C2FF-45C9-974E-98E4D3914D9C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1\CLSID\ = "{79806449-AB35-42EC-9BE9-B390209CE514}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\ = "TazebamaHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ = "ITazebamaHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\ = "{7B154753-C2FF-45C9-974E-98E4D3914D9C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1\ = "TazebamaHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\TazebamaHook\ = "{79806449-AB35-42EC-9BE9-B390209CE514}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27
PID 1696 wrote to memory of 980	1696	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\f4d14d3870fcbbf85ee3cda9e8778ac28b7ecfad34b938bcabb600f8e8dff705.dll
  2⤵
  - Modifies registry class
  PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads