Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 18:35
Behavioral task
behavioral1
Sample
137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll
Resource
win10v2004-20230220-en
General
-
Target
137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll
-
Size
335KB
-
MD5
073c88fc83fb839390024b503aeb3b1a
-
SHA1
ad787762bf7269f2834a4a105535670e250faaca
-
SHA256
137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5
-
SHA512
e340d1ddf5a0b425939a421e4df9fbb11392fe753cd73db3d86ee942cfb1d983d76585081d37a5ff381119d3af6d1874d0b4be3c5dd9012758b08f6fbcbf4ae6
-
SSDEEP
6144:0ZIoqM51MhP/OU6oduEhNHWXv5n2zjM2tjjorzz3I5vkKCrzltibzNWXv8N54P:AIoihPmYduEhNH+5ewCjoc5vkKqazkXB
Malware Config
Signatures
-
Modifies registry class 49 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\ = "IflAdvServs" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\ProgID\ = "flAdvServer.flAdvServs" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\AppID = "{D76E4956-A4E9-479F-A4FB-60C9F88B204F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\Web = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\ = "flAdvServs Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\ = "flAdvServer Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\TypeLib\ = "{D354B495-374E-40B4-84D9-C53C1143348C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{13E85B3C-9508-11D2-AB63-00C04FA35CFA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\Implemented Categories\{13E85B3C-9508-11D2-AB63-00C04FA35CFA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\Sockets = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\ = "IflAdvServs" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\flAdvServer.flAdvServs regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\flAdvServer.flAdvServs\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{13E85B3C-9508-11D2-AB63-00C04FA35CFA}\409 = "Borland MIDAS Application Servers" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\flAdvServer.flAdvServs\ = "flAdvServs Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{855FEC66-86C9-4D59-AE5E-2A9947D54BFF}\TypeLib\ = "{D354B495-374E-40B4-84D9-C53C1143348C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\flAdvServer.flAdvServs\Clsid\ = "{D76E4956-A4E9-479F-A4FB-60C9F88B204F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\TypeLib\ = "{D354B495-374E-40B4-84D9-C53C1143348C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D354B495-374E-40B4-84D9-C53C1143348C}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\ = "flAdvServs Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D76E4956-A4E9-479F-A4FB-60C9F88B204F}\Version\ = "1.0" regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe PID 912 wrote to memory of 1496 912 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll1⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\137fbf9a756a5aed79ce3ce12cb6a1dc0c2a816aea603001caa785ec2d7f27e5.dll2⤵
- Modifies registry class
PID:1496
-