c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17

Analysis

max time kernel
184s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 13:28

Target

c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17.dll
Size

1.0MB
MD5

051aa637ec7db347c25d543c6608a93f
SHA1

a380565315d848acb41ad8c078f3f0fbc24404f5
SHA256

c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17
SHA512

3b50e88e5a482a43b78aafc2af5d3d0dbb1c85d1e174a423601c93e85c293b2ac8e66198ddf4077757b4ac4adc9e715d8511288146645e824a407c2db08452d2
SSDEEP

24576:jNHDssXka/yPQPYlYfeZebgKEIeqmvfdkv:xXk+CekKbeqSFq

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
1780	regsvr32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000300000002280e-135.dat	upx
behavioral2/files/0x000300000002280e-136.dat	upx
behavioral2/memory/1780-137-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4308	1780	WerFault.exe	84
2800	1780	WerFault.exe	84

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1740	1660	regsvr32.exe	83
PID 1660 wrote to memory of 1740	1660	regsvr32.exe	83
PID 1660 wrote to memory of 1740	1660	regsvr32.exe	83
PID 1740 wrote to memory of 1780	1740	regsvr32.exe	84
PID 1740 wrote to memory of 1780	1740	regsvr32.exe	84
PID 1740 wrote to memory of 1780	1740	regsvr32.exe	84
PID 1780 wrote to memory of 4308	1780	regsvr32mgr.exe	87
PID 1780 wrote to memory of 4308	1780	regsvr32mgr.exe	87
PID 1780 wrote to memory of 4308	1780	regsvr32mgr.exe	87

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\c4c4fba41bf72f22a4f962da56911cbae5528f04dc87e2e1909e388d09c9ec17.dll
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 264
      4⤵
      Program crash
      PID:4308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 264
      4⤵
      Program crash
      PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1780 -ip 1780
1⤵
PID:112

C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
105KB

MD5
48327ee6dec8ae239eff2ffb30403028

SHA1
45e4e5014944e1229c49f9e7ad4d0925d93a55bb

SHA256
aa3d7c9d4576ca5b9848306ec5f1e3331d1227c9d1e20d2ea80ba611084bad6a

SHA512
1c20199e6726237c47f9bd958e9a135778280a8c0e0a86f8bed05f98d199e1502bb54605b036c6a2a54fbc5c48407afaab1e08730e84f1a18d56f5ad3cb89316

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
105KB

MD5
48327ee6dec8ae239eff2ffb30403028

SHA1
45e4e5014944e1229c49f9e7ad4d0925d93a55bb

SHA256
aa3d7c9d4576ca5b9848306ec5f1e3331d1227c9d1e20d2ea80ba611084bad6a

SHA512
1c20199e6726237c47f9bd958e9a135778280a8c0e0a86f8bed05f98d199e1502bb54605b036c6a2a54fbc5c48407afaab1e08730e84f1a18d56f5ad3cb89316

Download Submit
memory/1740-133-0x000000004DFD0000-0x000000004E0DC000-memory.dmp

Filesize
1.0MB

Download
memory/1780-137-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download