96cf4617ebe56009990b1854a8f00ac0d0cc50c061dc9c7db8f82e78c6f2bba5

Analysis

max time kernel
111s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96cf4617ebe56009990b1854a8f00ac0d0cc50c061dc9c7db8f82e78c6f2bba5.dll
Size

317KB
MD5

0624dc84c648b9955e5c1ce8f6df6e60
SHA1

ea794c479a8f76c2a25722df5b99d5730ce6086d
SHA256

96cf4617ebe56009990b1854a8f00ac0d0cc50c061dc9c7db8f82e78c6f2bba5
SHA512

6ef47bef5949947081fef6d94a716e42b9d6b256ac4dfae58acc92b13b196b539b03c5099a17b9e8d24bbf06a0e95e95fc8b03e27b7f58b19f705eabbebb798c
SSDEEP

6144:OH16HBsKoHmQcFXe2z6KrAntmRC8IMG5/IMG5/I4:OVIhGhck2of8IMG5/IMG5/I4

Score

1^/10

Malware Config

Signatures

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin\CLSID\ = "{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\ProgID\ = "OutlookMC_hxwbgw.comaddin.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin.1\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96cf4617ebe56009990b1854a8f00ac0d0cc50c061dc9c7db8f82e78c6f2bba5.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin.1\CLSID\ = "{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\VersionIndependentProgID\ = "OutlookMC_hxwbgw.comaddin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookMC_hxwbgw.comaddin	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEF86D0-ACC5-8A6E-5A3A-071C0F0E08E5}\	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4396	4872	regsvr32.exe	80
PID 4872 wrote to memory of 4396	4872	regsvr32.exe	80
PID 4872 wrote to memory of 4396	4872	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\96cf4617ebe56009990b1854a8f00ac0d0cc50c061dc9c7db8f82e78c6f2bba5.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\96cf4617ebe56009990b1854a8f00ac0d0cc50c061dc9c7db8f82e78c6f2bba5.dll
  2⤵
  - Modifies registry class
  PID:4396

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads