fbbad476b311b12103243fbb0bc96e0ae3283dab64a8a84ed9f2778e3ce6a8c6 | Triage

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2023 13:51

Sharing

Report Analysis Logs

General

Target

dxr.dll
Size

247KB
MD5

ee393ad971b476c86c696a30bbe0c31a
SHA1

3c26ea4515ad6f30fcb0ea692bdbd950d0b0ae5f
SHA256

1606d32aa812600a3a9837253b091a58b2d4939d6ad406cb0c45e4bee8230460
SHA512

ab6537d12be09caf3365c943e22cbe7e3470a3b536a4b8333d52feb89d7503af804aeddecdaf0ceb2ee685c850241e671576a7c861125ec72e403ca8710da647
SSDEEP

6144:KYCVTJWNPPC/OupE3tQto2YwU5qYyb4ji:KfcPPC2upE3two2Ywp

Score

1^/10

Malware Config

Signatures

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\ = "Haali Video Renderer Properties"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\ = "Haali Video Renderer Image Properties"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\ = "Haali Video Renderer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\CLSID = "{760A8F35-97E7-479D-AAF5-DA9EFF95D751}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\FilterData = 02000000000020000100000000000000307069330000000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b717eeb36e44f52ce119f530020af0ba770	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A36C253D-CEE4-4BCA-9CC2-E03CF6BBB054}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{760A8F35-97E7-479D-AAF5-DA9EFF95D751}\FriendlyName = "Haali Video Renderer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E8B4A31-408B-4929-86A4-A9FA9F01BA43}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 4792	3852	regsvr32.exe	80
PID 3852 wrote to memory of 4792	3852	regsvr32.exe	80
PID 3852 wrote to memory of 4792	3852	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dxr.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\dxr.dll
  2⤵
  - Modifies registry class
  PID:4792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads