190449ad219a48edb745d9dc8a51ba74792509f197fdaf992a50fc89e69592b0

General

Target

190449ad219a48edb745d9dc8a51ba74792509f197fdaf992a50fc89e69592b0.dll
Size

136KB
MD5

e9758803fffe11d463e47944a3eedbf0
SHA1

9abb72331090750fd3e456ac2204cf1a7b481490
SHA256

190449ad219a48edb745d9dc8a51ba74792509f197fdaf992a50fc89e69592b0
SHA512

29cc649a1a93221002c1f81a011022208e79a0ebf8ab775a2467d276b7709636fe0e8388d41bc017a62ba7c07658d98125fe304b1038e703b895e1dfc998121a
SSDEEP

3072:z3BWcSZI1mAVBEqVeFYhfA1rxTp47iQ21ejVlT:z3BWcj1mAjE/FYhfA3u7i310Vl

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	regsvr32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e4f-134.dat	upx
behavioral2/files/0x0006000000022e4f-135.dat	upx
behavioral2/memory/2020-136-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3756	2020	WerFault.exe	86

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods\ = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ = "ISetupObjectClass"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\190449ad219a48edb745d9dc8a51ba74792509f197fdaf992a50fc89e69592b0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "ISetupServiceProvider"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods\ = "5"	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1536	4336	regsvr32.exe	84
PID 4336 wrote to memory of 1536	4336	regsvr32.exe	84
PID 4336 wrote to memory of 1536	4336	regsvr32.exe	84
PID 1536 wrote to memory of 2020	1536	regsvr32.exe	86
PID 1536 wrote to memory of 2020	1536	regsvr32.exe	86
PID 1536 wrote to memory of 2020	1536	regsvr32.exe	86

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\190449ad219a48edb745d9dc8a51ba74792509f197fdaf992a50fc89e69592b0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\190449ad219a48edb745d9dc8a51ba74792509f197fdaf992a50fc89e69592b0.dll
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 268
      4⤵
      Program crash
      PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2020 -ip 2020
1⤵
PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
99KB

MD5
f3873258a4258a6761dc54d47463182f

SHA1
fbbf8bca739ca4e9745e5224662b33b437a52461

SHA256
63b02a3e8e7e049d1f29cd4cd79fe5c8905754da6c023df72aa5cca351d0d5c5

SHA512
eec16bb41fd05d9acd5d2b17eb5218057c3cd97cd706e0782a64eb2c32f8a57f1206fe0268be7f37a9f1c3f7b8eb09767cf2724951eaee4be03c4d509d4b3dd4

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
99KB

MD5
f3873258a4258a6761dc54d47463182f

SHA1
fbbf8bca739ca4e9745e5224662b33b437a52461

SHA256
63b02a3e8e7e049d1f29cd4cd79fe5c8905754da6c023df72aa5cca351d0d5c5

SHA512
eec16bb41fd05d9acd5d2b17eb5218057c3cd97cd706e0782a64eb2c32f8a57f1206fe0268be7f37a9f1c3f7b8eb09767cf2724951eaee4be03c4d509d4b3dd4

Download Submit
memory/2020-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing