a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca

Analysis

max time kernel
137s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca.dll
Size

444KB
MD5

16a4cfaabf3485a144995edab40cb660
SHA1

88e447ec4eb462a9c110ab802c322dfc14d6d880
SHA256

a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca
SHA512

eb4e78e5e63db41be74ab0c601ee356bb13a4569ecbeaa50b862119acc0badf08672accbe6c424273320363924dba7ccd8c2498b37da3676498ddc75da8d3737
SSDEEP

12288:vWc0GkgHdfZmtP9a3bxtdpHS1XOxUeNZu1AVTGkz4oye/1z2gToNQ3yjdEzBuj:vHf9H3mtP9a3bDdpHMexUeNZu1aTGkz0

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EBB68F5-3BF1-11CF-814C-00AA00A40C25}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EE008642-64A8-11CE-920F-08002B369A33}\2.0\ = "Microsoft Remote Data Object 2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E746492-6ED1-11CE-9223-08002B369A33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F051-551F-11CF-8152-00AA00A40C25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E746493-6ED1-11CE-9223-08002B369A33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E746496-6ED1-11CE-9223-08002B369A33}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F04D-551F-11CF-8152-00AA00A40C25}\ = "_rdoConnection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B39DFBF-3647-11CF-814A-00AA00A40C25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B39DFBF-3647-11CF-814A-00AA00A40C25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B39DFBC-3647-11CF-814A-00AA00A40C25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F050-551F-11CF-8152-00AA00A40C25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B39DFBC-3647-11CF-814A-00AA00A40C25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B39DFBC-3647-11CF-814A-00AA00A40C25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E746496-6ED1-11CE-9223-08002B369A33}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D545B93-97CA-11CF-8171-00AA00A40C25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftRDO.RdoQuery2.0\ = "MicrosoftRDO.RdoQuery2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE008643-64A8-11CE-920F-08002B369A33}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B39DFC0-3647-11CF-814A-00AA00A40C25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E7464A0-6ED1-11CE-9223-08002B369A33}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftRDO.RdoQuery2.0\CLSID\ = "{9A8831F2-A263-11D1-8DCF-00A0C90FFFC2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B541C03D-63BC-11CE-920C-08002B369A33}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F050-551F-11CF-8152-00AA00A40C25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B541C03D-63BC-11CE-920C-08002B369A33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F050-551F-11CF-8152-00AA00A40C25}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E746493-6ED1-11CE-9223-08002B369A33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8831F2-A263-11D1-8DCF-00A0C90FFFC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E746494-6ED1-11CE-9223-08002B369A33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D545B93-97CA-11CF-8171-00AA00A40C25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F050-551F-11CF-8152-00AA00A40C25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F051-551F-11CF-8152-00AA00A40C25}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B39DFBD-3647-11CF-814A-00AA00A40C25}\ = "rdoConnectionEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8831F2-A263-11D1-8DCF-00A0C90FFFC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F04F-551F-11CF-8152-00AA00A40C25}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B39DFBD-3647-11CF-814A-00AA00A40C25}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B39DFBC-3647-11CF-814A-00AA00A40C25}\ = "rdoEnvironmentEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F053-551F-11CF-8152-00AA00A40C25}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EBB68F5-3BF1-11CF-814C-00AA00A40C25}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EBB68F5-3BF1-11CF-814C-00AA00A40C25}\Version\ = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F04E-551F-11CF-8152-00AA00A40C25}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F050-551F-11CF-8152-00AA00A40C25}\ = "rdoPreparedStatement"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E791964C-208A-11CF-8146-00AA00A40C25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D545B93-97CA-11CF-8171-00AA00A40C25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F051-551F-11CF-8152-00AA00A40C25}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F04B-551F-11CF-8152-00AA00A40C25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B39DFBD-3647-11CF-814A-00AA00A40C25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B541C03D-63BC-11CE-920C-08002B369A33}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F050-551F-11CF-8152-00AA00A40C25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F052-551F-11CF-8152-00AA00A40C25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F052-551F-11CF-8152-00AA00A40C25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E746492-6ED1-11CE-9223-08002B369A33}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B39DFC0-3647-11CF-814A-00AA00A40C25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E746494-6ED1-11CE-9223-08002B369A33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F04D-551F-11CF-8152-00AA00A40C25}\ = "_rdoConnection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B541C03D-63BC-11CE-920C-08002B369A33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E791964C-208A-11CF-8146-00AA00A40C25}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F04B-551F-11CF-8152-00AA00A40C25}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F04B-551F-11CF-8152-00AA00A40C25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A8831F1-A263-11D1-8DCF-00A0C90FFFC2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EBB68F5-3BF1-11CF-814C-00AA00A40C25}\ProgID\ = "MicrosoftRDO.RdoQuery2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E746492-6ED1-11CE-9223-08002B369A33}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E746494-6ED1-11CE-9223-08002B369A33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E746495-6ED1-11CE-9223-08002B369A33}\TypeLib\ = "{EE008642-64A8-11CE-920F-08002B369A33}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E7464A0-6ED1-11CE-9223-08002B369A33}\ = "rdoErrors"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE008643-64A8-11CE-920F-08002B369A33}\TypeLib\Version = "2.0"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3528	3664	regsvr32.exe	80
PID 3664 wrote to memory of 3528	3664	regsvr32.exe	80
PID 3664 wrote to memory of 3528	3664	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\a430ece3ebc41e11c1c13e312f2ddc5dbf3b2eab07743a65fb40a8519261bdca.dll
  2⤵
  - Modifies registry class
  PID:3528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3528-132-0x0000000000000000-mapping.dmp

Download
memory/3528-133-0x0000000000BD0000-0x0000000000BDF000-memory.dmp

Filesize
60KB

Download
memory/3528-134-0x0000000002580000-0x000000000258F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads