96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 10:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae.dll
Size

268KB
MD5

68fa9a9444d65b26dbefd07cd3e691f9
SHA1

5a8db53939f32b94ab71bcc7421e80f89c365d6c
SHA256

96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae
SHA512

3604797d25d236ac7f7ee8d792e3ebcedad2b7082dabadda52083d576ce28a8e97cd87e5cad103776b5023c4e5a6ffb615365f57d1e6d3dc2f2b26da909ba340
SSDEEP

6144:08+WQ5Tboq8TFcZV1ARZrRIoCfy3JLAvYSpVmkTz0Gent5:08+J5TboqMcZV1ARZrRI0avYWU35

Score

1^/10

Malware Config

Signatures

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCEEE161-E2D0-4A36-A2D9-71DD221253C1}\InprocSrv64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender.4\ = "AspEmail Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\TypeLib\ = "{794D6711-F0F0-11D2-BEB0-009027438003}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\ = "IMailSender"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender\ = "AspEmail Component"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender.4	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender\CurVer\ = "Persits.MailSender.4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\ = "IMailSender"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\TypeLib\ = "{794D6711-F0F0-11D2-BEB0-009027438003}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender.4\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\VersionIndependentProgID\ = "Persits.MailSender"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender.4\CLSID\ = "{794D671E-F0F0-11D2-BEB0-009027438003}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCEEE161-E2D0-4A36-A2D9-71DD221253C1}\InprocSrv64\ = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCEEE161-E2D0-4A36-A2D9-71DD221253C1}\InprocSrv64\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\ProgID\ = "Persits.MailSender.4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCEEE161-E2D0-4A36-A2D9-71DD221253C1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Persits.MailSender\CLSID\ = "{794D671E-F0F0-11D2-BEB0-009027438003}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\ = "MailSender Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\ = "Persits Software AspEmail 5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{794D671E-F0F0-11D2-BEB0-009027438003}\TypeLib\ = "{794D6711-F0F0-11D2-BEB0-009027438003}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{794D6711-F0F0-11D2-BEB0-009027438003}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{794D671D-F0F0-11D2-BEB0-009027438003}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 2168	4348	regsvr32.exe	81
PID 4348 wrote to memory of 2168	4348	regsvr32.exe	81
PID 4348 wrote to memory of 2168	4348	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\96d54290fa11849294cc2dd52f9f26540c535ef520b022118e6a768da5baacae.dll
  2⤵
  - Modifies registry class
  PID:2168

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads