866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59

Analysis

max time kernel
90s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59.dll
Size

275KB
MD5

091715e3e7b0d1c838ea9479ee0c4022
SHA1

cd0581182d948ff64f8d78d9b3d17d917c355130
SHA256

866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59
SHA512

f4dc698b2dd9045790d39cc6c615fc54b00c0b2ce2a9a33f6961806d0098864c20b54f721a756497b72c45c125dd806c6ff39f78ddb01dfd9a09aeac4b9d1a5d
SSDEEP

6144:7WxdOILCxtLzKcvH326UW/klMiUOE8CxlMRaffQ:7Wz7LALmwXv1klKOE8CxRff

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\ = "lEDI.set"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\ProgID\ = "lEDI.set"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\ = "_set"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\ProgID\ = "lEDI.LogNoInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.LogNoInfo\Clsid\ = "{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.set\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\TypeLib\ = "{7C982605-BE39-46B3-AEDE-8C42BAB2179D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ = "_LogNoInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\TypeLib\ = "{7C982605-BE39-46B3-AEDE-8C42BAB2179D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\TypeLib\ = "{7C982605-BE39-46B3-AEDE-8C42BAB2179D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.LogNoInfo\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.set\Clsid\ = "{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.set	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.LogNoInfo\ = "lEDI.LogNoInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C982605-BE39-46B3-AEDE-8C42BAB2179D}\1.0\ = "lEDI"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lEDI.set\ = "lEDI.set"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\TypeLib\ = "{7C982605-BE39-46B3-AEDE-8C42BAB2179D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAC6C45A-928B-4F71-B3B3-6D96CE5760F4}\ = "lEDI.LogNoInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3336A6D3-CB72-48A1-9B38-4CEEEEEA178C}\ = "_LogNoInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{321E3B7E-65F1-4AE5-A891-DE1E268CDC14}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CFB3A6C-0B50-43B2-AB08-BC932E9A5B91}\ = "set"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 3756	3904	regsvr32.exe	81
PID 3904 wrote to memory of 3756	3904	regsvr32.exe	81
PID 3904 wrote to memory of 3756	3904	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\866c0963dc937096114f3d2f13ab4dc2156348299f091f483ac9f489f9913c59.dll
  2⤵
  - Modifies registry class
  PID:3756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3756-133-0x0000000011000000-0x00000000111A0000-memory.dmp

Filesize
1.6MB

Download
memory/3756-134-0x0000000002D40000-0x0000000002D43000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads