1a65349d6ab2168eb437fc2dba48b5596877ceb9d7cd2218cef59f1366557008

Analysis

max time kernel
1s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 10:16

Target

1a65349d6ab2168eb437fc2dba48b5596877ceb9d7cd2218cef59f1366557008.dll
Size

391KB
MD5

f26ce91615a21ceef1331c03e41b078c
SHA1

ca976deb02fa87c95906a385e713928e31c395dc
SHA256

1a65349d6ab2168eb437fc2dba48b5596877ceb9d7cd2218cef59f1366557008
SHA512

3b98b45d09f6ff8c11701eb8b852e9649ef4d351b86260e2f32c615a5bb54ee75be4066f03daf305e8e10d7f4f535126fcf31d7e3580e671fe1f3c336435dfa3
SSDEEP

12288:yvO+MmUf61QCCt4oAtxRxp0zUOA1sUZb7m0PG6C:yv3MmUf6WCc4orQOA1sUZb7m0PrC

Score

1^/10

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}\ = "QWallpaper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a65349d6ab2168eb437fc2dba48b5596877ceb9d7cd2218cef59f1366557008.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD96059D-FAE5-4B03-8B1E-B9F5C1C34DC3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 5048	4956	regsvr32.exe	80
PID 4956 wrote to memory of 5048	4956	regsvr32.exe	80
PID 4956 wrote to memory of 5048	4956	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1a65349d6ab2168eb437fc2dba48b5596877ceb9d7cd2218cef59f1366557008.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1a65349d6ab2168eb437fc2dba48b5596877ceb9d7cd2218cef59f1366557008.dll
  2⤵
  - Modifies registry class
  PID:5048