Analysis
-
max time kernel
145s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc.dll
Resource
win7-20221111-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc.dll
-
Size
156KB
-
MD5
2a0d8c150f6f0e0f6258f110fd5db34d
-
SHA1
dde041598d77392892626c9e79ea9191924c26a4
-
SHA256
aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc
-
SHA512
42d8ee0319e6a885787faac81f61acf4c07db0b174c42ac3a7b062000a2e86c5f790de01a77094438e4c8c9840d91ba830a7f91e6abd9d935c45e182cc45c407
-
SSDEEP
3072:XIfi6M+yZ4KBQDw3QBpq3ynj6ARCPBr+MDRpu0gP+rpEhvOIRxAO6:XN6M+yHceQBpq86ARCPJnmr0Ic
Score
1/10
Malware Config
Signatures
-
Modifies registry class 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\shellex regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Spy Protector regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Spy Protector regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83}\ = "Spy Protector Context Menu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\shellex\ContextMenuHandlers\ regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Directory\shellex\ContextMenuHandlers\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Spy Protector regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\shellex\ContextMenuHandlers regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Directory\shellex\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Directory\shellex regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Directory\shellex\ContextMenuHandlers regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Spy Protector\ = "{107A1D63-2EAA-4694-8ABA-EC209C630D83}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Spy Protector\ = "{107A1D63-2EAA-4694-8ABA-EC209C630D83}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{107A1D63-2EAA-4694-8ABA-EC209C630D83}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\*\shellex\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Spy Protector\ = "{107A1D63-2EAA-4694-8ABA-EC209C630D83}" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3400 wrote to memory of 4076 3400 regsvr32.exe 80 PID 3400 wrote to memory of 4076 3400 regsvr32.exe 80 PID 3400 wrote to memory of 4076 3400 regsvr32.exe 80
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\aae47463021454d2959e12aa89b949b4fbe77ef5c6bad92d8ff043f5a87d68bc.dll2⤵
- Modifies registry class
PID:4076
-