581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e

General

Target

581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll
Size

211KB
MD5

8eded797ec79b7372ad87de2eae8fc07
SHA1

8687d3cc7748a841b468e19a0a6a254589e7fb0c
SHA256

581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e
SHA512

99f770e4ae0670e60d854dce510d854c42235520313a812165f4feb4cc381a593f5b7e16c2fd49e25b352228cb6378fb4384d8e9c35ac591227560c78168da8d
SSDEEP

3072:iOC16nBcBz4Lv0cTixNTcjvQeUsktDO1fb5cVCDp85Po5rG6cU2YIL9bR3:bC1eAc0DsuDO1fb5cVC3159y

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.EventLog\CurVer\ = "HPCUE.EventLog.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32E11268-1FBF-43ED-B75A-3F9420415D18}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.LogEntry\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}\TypeLib\ = "{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5AB8C5E-D4CE-4E5E-A3B3-7D6AE5F42686}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5638D7EE-97CA-4DD3-B993-26E89FBE6CA1}\ProgID\ = "HPCUE.TrayAppCtxList.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.EventLog\ = "HPCUEEventLog Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.EventLog.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26A870E8-5C86-465C-BF6F-0EA63F6F0CDB}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}\TypeLib\ = "{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.TrayAppCtxList\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5638D7EE-97CA-4DD3-B993-26E89FBE6CA1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.LogEntry.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}\ = "DIHPCUETrayAppCtxList"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB72C778-DC69-404C-BAFA-D0B475C128D3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5638D7EE-97CA-4DD3-B993-26E89FBE6CA1}\ = "HPCUETrayAppCtxList Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5638D7EE-97CA-4DD3-B993-26E89FBE6CA1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.EventLog	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32E11268-1FBF-43ED-B75A-3F9420415D18}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.LogEntry\CurVer\ = "HPCUE.LogEntry.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E49586-EF5C-4BDA-B7A2-48322682DE43}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.TrayAppCtx\CurVer\ = "HPCUE.TrayAppCtx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6DEDDA4-5DC9-48A8-83F8-66A4D932AF0F}\ = "HPCUETrayAppCtx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5AB8C5E-D4CE-4E5E-A3B3-7D6AE5F42686}\ = "_DIHPCUETAPlugInEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E49586-EF5C-4BDA-B7A2-48322682DE43}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6DEDDA4-5DC9-48A8-83F8-66A4D932AF0F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26A870E8-5C86-465C-BF6F-0EA63F6F0CDB}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82047FCB-4B9E-458D-B315-CB9F6F0A095A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32E11268-1FBF-43ED-B75A-3F9420415D18}\ = "HPCUEEventLog Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5AB8C5E-D4CE-4E5E-A3B3-7D6AE5F42686}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5AB8C5E-D4CE-4E5E-A3B3-7D6AE5F42686}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D5AB8C5E-D4CE-4E5E-A3B3-7D6AE5F42686}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E49586-EF5C-4BDA-B7A2-48322682DE43}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.TrayAppCtxList\CurVer\ = "HPCUE.TrayAppCtxList.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.TrayAppCtx.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}\1.0\ = "Hewlett-Packard CUE Tray Application Objects 1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82047FCB-4B9E-458D-B315-CB9F6F0A095A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB72C778-DC69-404C-BAFA-D0B475C128D3}\TypeLib\ = "{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E49586-EF5C-4BDA-B7A2-48322682DE43}\ = "DIHPCUELogEntry"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26A870E8-5C86-465C-BF6F-0EA63F6F0CDB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26A870E8-5C86-465C-BF6F-0EA63F6F0CDB}\TypeLib\ = "{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E49586-EF5C-4BDA-B7A2-48322682DE43}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82047FCB-4B9E-458D-B315-CB9F6F0A095A}\ = "DIHPCUEEventLog"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82047FCB-4B9E-458D-B315-CB9F6F0A095A}\TypeLib\ = "{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HPCUE.LogEntry\ = "HPCUELogEntry Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB72C778-DC69-404C-BAFA-D0B475C128D3}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E49586-EF5C-4BDA-B7A2-48322682DE43}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5638D7EE-97CA-4DD3-B993-26E89FBE6CA1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02EC5D65-1494-4BA3-AE40-8B6CD8CB8B7F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89BB0AB5-01E5-412C-9205-0769D23A35F2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6DEDDA4-5DC9-48A8-83F8-66A4D932AF0F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BA8A6EA-6038-4613-A4AC-8FDF27CCD481}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe
PID 1264 wrote to memory of 844	1264	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\581aa5b2bf9d93858e92fa0467929e2b83026fb3d685f770340d5105dd6ac92e.dll
2⤵
- Modifies registry class
PID:844

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-55-0x0000000000000000-mapping.dmp

Download
memory/844-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/844-58-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/844-57-0x0000000000190000-0x000000000019F000-memory.dmp

Filesize
60KB

Download
memory/1264-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads