ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
26-06-2023 21:52

Target

ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll
Size

4.3MB
MD5

b81e8875fd1a0a85414169ab11c49ab4
SHA1

e376a69a407081c92fcc510ecff4caa30897a4b1
SHA256

ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d
SHA512

80c8b1d35bef473510f4a89f3b8042d9d4bd930e9eab2b87cfa20064284338c7fee2b930989ea171101d6c0c95dfbcaeef8a1680538a11d405b572d86e190b8c
SSDEEP

49152:qmAvV/5CYjGDD3RHOE9v/dC5irmo3wdpibeCuvBbRJHRh81j9w5jiBk5/DEvFXus:CR5sP5OEvPyiyjvZR17DEvFXdf

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\ = "中文(简体) - 2345王牌拼音输入法"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27
PID 1296 wrote to memory of 2024	1296	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll
  2⤵
  - Modifies registry class
  PID:2024