ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4

Analysis

max time kernel
4s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4.dll
Size

75KB
MD5

700f96c5977fffdca560fc33b1de8f90
SHA1

3c5f45e7211fbdadce1a349fabbdf0c90ad01f78
SHA256

ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4
SHA512

7b79a9d0ac8c1b79797580221f94c8a9c9611fcebd0a0fb60dae1aeac6d534809191616aa7a0c967f964c6ecedb9044efa94ea2a9f0b63983804e7454f8cf659
SSDEEP

1536:IcsE2Z4WvwoZid1nllZ41ORsQRkLlFt3tMa6Jmmn:YE2KawoZid1V4Qa5CRmmn

Score

1^/10

Malware Config

Signatures

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\VersionIndependentProgID\ = "Tazebama.TazebamaHook"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\ = "TazebamaHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\TazebamaHook	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CLSID\ = "{79806449-AB35-42EC-9BE9-B390209CE514}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\TypeLib\ = "{7B154753-C2FF-45C9-974E-98E4D3914D9C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\ = "{7B154753-C2FF-45C9-974E-98E4D3914D9C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1\ = "TazebamaHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\TazebamaHook\ = "{79806449-AB35-42EC-9BE9-B390209CE514}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\ = "TazebamaHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\ = "{7B154753-C2FF-45C9-974E-98E4D3914D9C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ = "ITazebamaHook"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\ProgID\ = "Tazebama.TazebamaHook.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79806449-AB35-42EC-9BE9-B390209CE514}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\ = "tazebama 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B154753-C2FF-45C9-974E-98E4D3914D9C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1\CLSID\ = "{79806449-AB35-42EC-9BE9-B390209CE514}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook\CurVer\ = "Tazebama.TazebamaHook.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ = "ITazebamaHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A198FC3-51AA-4403-B281-168F86D9053A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tazebama.TazebamaHook.1	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 996	884	regsvr32.exe	27
PID 884 wrote to memory of 996	884	regsvr32.exe	27
PID 884 wrote to memory of 996	884	regsvr32.exe	27
PID 884 wrote to memory of 996	884	regsvr32.exe	27
PID 884 wrote to memory of 996	884	regsvr32.exe	27
PID 884 wrote to memory of 996	884	regsvr32.exe	27
PID 884 wrote to memory of 996	884	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ab64c60d21c9abce91bca5a9104a6d5b1e51715970ccba78ae7d7718316698b4.dll
  2⤵
  - Modifies registry class
  PID:996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-54-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download
memory/996-55-0x0000000000000000-mapping.dmp

Download
memory/996-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads