65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/04/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af.dll
Size

128KB
MD5

b194c6d0e9e1fd05e5683ea9fb24a8db
SHA1

394d24a4f26993a56dcfa72ec9bb3f5eab49ea04
SHA256

65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af
SHA512

4f2cccec2e8d34838b09a4966d0d0bd6a5955e91b5e43f3a9610406b720a156da0855768df85cdfb826680528197729e82fee71b9c13cc2cac7a509c8d6619e7
SSDEEP

1536:d0lZBnSqHqzvHSH/mA6rzvTwK9ISfsSiOPoXE4+1Fd+2d8Z+1ADLNwl2ZPH:uATwWHJisodOd2ml2VH

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ = "Usr_NET"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\TypeLib\ = "{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\TypeLib\ = "{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QM_GUI_NET.Usr_NET\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QM_GUI_NET.Usr_NET\Clsid\ = "{2EDCC828-1E44-4131-945F-9AF2437BCFB7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\TypeLib\ = "{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QM_GUI_NET.Usr_NET\ = "QM_GUI_NET.Usr_NET"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QM_GUI_NET.Usr_NET	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\TypeLib\ = "{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\TypeLib\ = "{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af.dll, 30000"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ = "_Usr_NET"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ = "__Usr_NET"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\ProgID\ = "QM_GUI_NET.Usr_NET"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ = "__Usr_NET"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0\ = "QM_GUI_NET"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{D9B796DE-BE63-4917-96CE-9E8E7FEDC45C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ = "Usr_NET"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5373E364-0F4E-4EDC-8342-CA46EF9BBD2F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9D1F409-34BE-42B6-98B6-93311D0F3CFF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2EDCC828-1E44-4131-945F-9AF2437BCFB7}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 696	760	regsvr32.exe	28
PID 760 wrote to memory of 696	760	regsvr32.exe	28
PID 760 wrote to memory of 696	760	regsvr32.exe	28
PID 760 wrote to memory of 696	760	regsvr32.exe	28
PID 760 wrote to memory of 696	760	regsvr32.exe	28
PID 760 wrote to memory of 696	760	regsvr32.exe	28
PID 760 wrote to memory of 696	760	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\65ad5b0f03640ce491c5b3af9cc6a5c6d2bd9096e70cb08cb6945959bb0a38af.dll
  2⤵
  - Modifies registry class
  PID:696

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads