98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d.dll
Size

84KB
MD5

ead94e23e44f67620394f456ed4717d2
SHA1

5690ff2ad6cdf8152aef1432bdc3917f769ce037
SHA256

98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d
SHA512

ec700d9a2d6e7a19a0b5e73d9fbd134d2cf5dbf26e9ba9dbe20a94303384f0db09ed7f2bfe0438c7a543bedfde8c9810e6bf4b1b0dbc6b8f25a3a219649e2d11
SSDEEP

1536:Cjq2qxQL2RqEvfiWpt2wY/UgynXKQ++hVQDfqnjKUMj:Cjq2qxQWlvfiWpt2qgGF+sdKUQ

Score

1^/10

Malware Config

Signatures

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8CDD2A9-A6BC-45D9-A5FD-E9EB1C60A94A}\ = "VidInfoHead Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\ = "Dee Mon's VIH"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8CDD2A9-A6BC-45D9-A5FD-E9EB1C60A94A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{539B4F58-16E7-4E47-8EC8-83BF91481D00}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\FriendlyName = "Dee Mon's VIH"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000000000000317069330800000000000000010000000000000000000000307479330000000060000000000000007669647300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8CDD2A9-A6BC-45D9-A5FD-E9EB1C60A94A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8CDD2A9-A6BC-45D9-A5FD-E9EB1C60A94A}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{539B4F58-16E7-4E47-8EC8-83BF91481D00}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8CDD2A9-A6BC-45D9-A5FD-E9EB1C60A94A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{539B4F58-16E7-4E47-8EC8-83BF91481D00}\CLSID = "{539B4F58-16E7-4E47-8EC8-83BF91481D00}"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27
PID 1832 wrote to memory of 1228	1832	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\98d12688d18163602bf4fc776eeba56dffb2a82da7daeaf1350425a7b397665d.dll
  2⤵
  - Modifies registry class
  PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-56-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1832-54-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads