ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d

Analysis

max time kernel
84s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2023 21:52

Target

ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll
Size

4.3MB
MD5

b81e8875fd1a0a85414169ab11c49ab4
SHA1

e376a69a407081c92fcc510ecff4caa30897a4b1
SHA256

ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d
SHA512

80c8b1d35bef473510f4a89f3b8042d9d4bd930e9eab2b87cfa20064284338c7fee2b930989ea171101d6c0c95dfbcaeef8a1680538a11d405b572d86e190b8c
SSDEEP

49152:qmAvV/5CYjGDD3RHOE9v/dC5irmo3wdpibeCuvBbRJHRh81j9w5jiBk5/DEvFXus:CR5sP5OEvPyiyjvZR17DEvFXdf

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\ = "中文(简体) - 2345王牌拼音输入法"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1960	2112	regsvr32.exe	83
PID 2112 wrote to memory of 1960	2112	regsvr32.exe	83
PID 2112 wrote to memory of 1960	2112	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ecaf7ab8ce58a0cefe1652fc904bd7ec0c4438627b88219efb8431604065ca1d.dll
  2⤵
  - Modifies registry class
  PID:1960