455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e

Analysis

max time kernel
158s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e.dll
Size

320KB
MD5

67793dc2f3b3f9ea10fbf8be9ce94cd0
SHA1

313a46dd99d92dd12c2085f8558045e5e8761108
SHA256

455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e
SHA512

187359fcc947e25ff900afa3c3e3b4fe28601f83209f2829a1877acc873018f0fc785c07ea6b9f9883c8b2139f045a403057a7811c5a7329f8195dd14954d843
SSDEEP

6144:+0Re0RcKwQM20gCnnhJPjTzAgMH6q0w9rKcb:+EfcKw32CnhBjrMr08e

Score

1^/10

Malware Config

Signatures

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1\ = "CloneViewHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\ProgID\ = "IgfxTMM.CloneViewHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\TypeLib\ = "{45898183-0656-40E8-8116-81617964B4E8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\ = "CloneHelper 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\ = "CloneViewHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\VersionIndependentProgID\ = "IgfxTMM.CloneViewHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1\CLSID\ = "{FC03875E-6012-4349-B5C5-C42E9FE26AD2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CurVer\ = "IgfxTMM.CloneViewHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}\ = "CloneViewHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9F7668BC-E163-414C-92C6-01228863FF5A}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IgfxTMM.CloneViewHelper\CLSID\ = "{FC03875E-6012-4349-B5C5-C42E9FE26AD2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FC03875E-6012-4349-B5C5-C42E9FE26AD2}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4140	5116	regsvr32.exe	79
PID 5116 wrote to memory of 4140	5116	regsvr32.exe	79
PID 5116 wrote to memory of 4140	5116	regsvr32.exe	79

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\455b849e58e40925155486095dead200fa0dd1d547c72aa8ef72a687c72cd10e.dll
  2⤵
  - Modifies registry class
  PID:4140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4140-133-0x00000000008E0000-0x00000000008ED000-memory.dmp

Filesize
52KB

Download
memory/4140-134-0x0000000000940000-0x000000000094D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads