8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe
Size

207KB
MD5

ef9d46ef8fe539496fb3e36ba433c4b6
SHA1

b11fda454850b61b26cdf43a13aa918b6a0705cb
SHA256

8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7
SHA512

30ec772af730e5d442babad4a8c3fe548e3cfca54a3f6c66578b6cdb58d259e1c37a11c409ad088c380f40b2bd860d4a2036fea647b83368a6d73d76a91316d4
SSDEEP

3072:b68fHxbv8rgUlLwTJpCHaIk/3NMHgtNPT+TJrFc1EVhow5L9C0bVV8sk:b68fRAEUlLwTqHYfNMHqPgJjNL9Cg8x

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4896	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mifi.dat	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe
File opened for modification	C:\Windows\SysWOW64\mifi.dat	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe
File created	C:\Windows\SysWOW64\mifi.dll	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe
File opened for modification	C:\Windows\SysWOW64\mifi.dll	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter\ = "HTMLMimeFilter Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\ = "IHTMLMimeFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\TypeLib\ = "{422145BF-986B-4D14-BD6A-30A5BABCAC90}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\ = "HTMLMimeFilter Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\TypeLib\ = "{422145BF-986B-4D14-BD6A-30A5BABCAC90}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\InprocServer32\ = "C:\\Windows\\SysWow64\\mifi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\test_mime_filter.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\ = "HTML MIME Filter Sample"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6F95C6A3-FBE0-4295-B0AB-771F9396D09F}\ = "test_mime_filter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\ProgID\ = "test_mime_filter.HTMLMimeFilter.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\ = "IHTMLMimeFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\TypeLib\ = "{422145BF-986B-4D14-BD6A-30A5BABCAC90}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\ = "IHistoryLogger"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\test_mime_filter.DLL\AppID = "{6F95C6A3-FBE0-4295-B0AB-771F9396D09F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\TypeLib\ = "{422145BF-986B-4D14-BD6A-30A5BABCAC90}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\ = "IHistoryLogger"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\VersionIndependentProgID\ = "test_mime_filter.HTMLMimeFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\AppID = "{6F95C6A3-FBE0-4295-B0AB-771F9396D09F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter.1\CLSID\ = "{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter\CLSID\ = "{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\ = "test_mime_filter 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\test_mime_filter.HTMLMimeFilter\CurVer\ = "test_mime_filter.HTMLMimeFilter.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8981DB9-B2B3-47D7-A890-9C9D9F4C5552}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{422145BF-986B-4D14-BD6A-30A5BABCAC90}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mifi.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9B1327A-4616-434C-AF46-C2315539C19C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D52F9703-53EE-4794-AF7B-1577257BB31B}\TypeLib\ = "{422145BF-986B-4D14-BD6A-30A5BABCAC90}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4896	4956	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe	80
PID 4956 wrote to memory of 4896	4956	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe	80
PID 4956 wrote to memory of 4896	4956	8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe	80

C:\Users\Admin\AppData\Local\Temp\8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe
"C:\Users\Admin\AppData\Local\Temp\8c6d7c066bdf1d8ff19e400f964e5c15c038946c2aea7ef71497d9b51dcd95e7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\mifi.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mifi.dll

Filesize
181KB

MD5
e5b5c3190bc91359bd1df1670a306786

SHA1
e1d0da406c974908e5caff6c55976e0ec61f82f7

SHA256
c09264147808d83ac8cc4437dec90e3f19a933169d0c0ae66dbd6cbde6596bd5

SHA512
7fa8e166ee6b7e89b42c0a661a4b4859e38c7ed5beeebef24d748c9e8a9dc01c6ddd73ed93fc20ea2ecde46ec557812866d4e68194040d19fbf1c6fc866b723a

Download Submit
C:\Windows\SysWOW64\mifi.dll

Filesize
181KB

MD5
e5b5c3190bc91359bd1df1670a306786

SHA1
e1d0da406c974908e5caff6c55976e0ec61f82f7

SHA256
c09264147808d83ac8cc4437dec90e3f19a933169d0c0ae66dbd6cbde6596bd5

SHA512
7fa8e166ee6b7e89b42c0a661a4b4859e38c7ed5beeebef24d748c9e8a9dc01c6ddd73ed93fc20ea2ecde46ec557812866d4e68194040d19fbf1c6fc866b723a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads