c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0

General

Target

c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0.dll
Size

413KB
MD5

ba46df9d3f7e28d6a51d55336a5e4650
SHA1

3c0d25bb5cf9dcbe8a1c099f30e09cb47fa7c77b
SHA256

c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0
SHA512

02bd4faf23058b60dc3ca65f1fb6343f770a443121baee0304d058bcc2d8d9aa34a1ca26dc93a5c80e0d9132de673cf3c50106196bf2f9584d2f5ea01ca3faf2
SSDEEP

12288:3wYi5jnVFirc4dMix7yK2hkX/KhvNnKrqzk+:3wYiDhC

Score

1^/10

Malware Config

Signatures

Modifies registry class 44 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\ = "APS"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ = "APSCLS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ = "_APSCLS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\APS.APSCLS\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ = "_APSCLS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\APS.APSCLS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\ProgID\ = "APS.APSCLS"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{26971F60-E781-41FA-B587-63BC84E5125A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\TypeLib\ = "{26971F60-E781-41FA-B587-63BC84E5125A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\ = "APS.APSCLS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\APS.APSCLS\Clsid\ = "{9EAD174F-3537-478B-8DE2-94DE58691B3E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\TypeLib\ = "{26971F60-E781-41FA-B587-63BC84E5125A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279CEF9-3C00-4B60-A565-81E289B66415}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EAD174F-3537-478B-8DE2-94DE58691B3E}\TypeLib\ = "{26971F60-E781-41FA-B587-63BC84E5125A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\APS.APSCLS\ = "APS.APSCLS"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe
PID 912 wrote to memory of 1600	912	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\c5c81d1d508b9aaa16867bd48c1ed280aefb54781ba86ba4f8c3d333eaa0fff0.dll
2⤵
- Modifies registry class
PID:1600

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000000000-mapping.dmp

Download
memory/1600-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1600-57-0x0000000011000000-0x000000001106E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads