9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30/01/2023, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe
Size

4.1MB
MD5

b21b3c712c1253c5050d37e91ff03301
SHA1

7cf206528b9a7fe011340439d0b1b4f7ec765082
SHA256

9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6
SHA512

2a3a8bfefd016172ada34003c7656e7c913667765984f4bdeb9b2cd25dad1006b433abe84685fe2419878f161f6528af709279d894b1f4a4d714e1903e4d2bc3
SSDEEP

98304:N2U2ziq+t45/7Mhs4b54pz+7539oN9s0j76AmfhI4jPD9jtpx:NKt5/7Mhs4b54pz+753I9sA6AW7D9jt/

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\qq405168520.dll	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\ProgID\ = "EyLogin.EyLoginSoft.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32\ = "C:\\Windows\\qq405168520.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ = "IEyLoginSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL\AppID = "{C9B61D58-7E6F-421B-8BB1-4A0788556660}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\ = "EyLoginSoft Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\0\win32\ = "C:\\Windows\\qq405168520.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib\ = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer\ = "EyLogin.EyLoginSoft.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\VersionIndependentProgID\ = "EyLogin.EyLoginSoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C9B61D58-7E6F-421B-8BB1-4A0788556660}\ = "EyLogin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EyLogin.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft.1\ = "EyLoginSoft Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C9B61D58-7E6F-421B-8BB1-4A0788556660}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft.1\CLSID\ = "{3674FE01-AB81-4659-AFA0-1245D0E1531B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ = "IEyLoginSoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\ = "EyLoginSoft Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EyLogin.EyLoginSoft\CLSID\ = "{3674FE01-AB81-4659-AFA0-1245D0E1531B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\TypeLib\ = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\ = "EyLogin 1.0 ÀàÐÍ¿â"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib\ = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe
1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe
1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28
PID 1988 wrote to memory of 1708	1988	9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe	28

C:\Users\Admin\AppData\Local\Temp\9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe
"C:\Users\Admin\AppData\Local\Temp\9ace567fe96aa83582487dea1b6b8f1c64d3f2c6fe5b5d2b3e57414d92a1f0d6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Windows\\qq405168520.dll"
  2⤵
  - Modifies registry class
  PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\qq405168520.dll

Filesize
2.0MB

MD5
2bed81760f576f5710424b608e6f0dce

SHA1
36c8011a43599535133632610a00b4224593ce74

SHA256
a1f9f271c9e7977a62ede38eb9445d453ae7acc65234eddc6b57954bf2478bca

SHA512
c88213726e778e98f7c27cca1e57c2627b8bd1c93ceb1a85317c2078f39bde94b98c7d0dbf5ea3bd425f23d4c396d9a07124e994e24f89a74fdacbe4fde3737e

Download Submit
memory/1708-58-0x0000000073B90000-0x000000007405E000-memory.dmp

Filesize
4.8MB

Download
memory/1708-60-0x0000000073B90000-0x000000007405E000-memory.dmp

Filesize
4.8MB

Download
memory/1988-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/1988-61-0x0000000073E40000-0x000000007430E000-memory.dmp

Filesize
4.8MB

Download
memory/1988-63-0x0000000073E40000-0x000000007430E000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads