dc1db4165c925041dde15aee2a71b943470af40fb16c0d9f80806ad7a812b659

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc1db4165c925041dde15aee2a71b943470af40fb16c0d9f80806ad7a812b659.dll
Size

521KB
MD5

3a5a001bf5c41b11b71b0d7a5e91f6a9
SHA1

ddc7fabb3dce61b29dc4251b0db0030ee3e66fdd
SHA256

dc1db4165c925041dde15aee2a71b943470af40fb16c0d9f80806ad7a812b659
SHA512

0591757005882b176d1fbfd12e0e4156ee91f24f4ea87317bc5abd1f0fc138193f12e8ae9ac36b05e97d2cc2a4cdfec9d15276cf1f5f9cb11d7c6e6ff6a7a69e
SSDEEP

6144:Z/P+isd001ahOYGXg06XesPpGdyRaJMKzXUkn2Bh:x7sdQhOYGXgVXerzXUkUh

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB3-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\DropHandler	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "\"C:\\Windows\\system32\\cscript.exe\" \"%1\" %*"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB0-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB1-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ = "GlobalObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ = "ErrObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\ = "VB Script Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\ = "Open"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB0-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "\"C:\\Windows\\system32\\wscript.exe\" \"%1\" %*"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB2-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine\ = "VBScript"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers\WSHProps	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB1-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp\ = "VBScript Regular Expression"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript\ = "VB Script Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode\ = "VB Script Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dc1db4165c925041dde15aee2a71b943470af40fb16c0d9f80806ad7a812b659.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "\"C:\\Windows\\system32\\notepad.exe\" %1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib\ = "{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib\ = "{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F4DACB2-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS\ = "VB Script Language"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28
PID 2100 wrote to memory of 820	2100	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dc1db4165c925041dde15aee2a71b943470af40fb16c0d9f80806ad7a812b659.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\dc1db4165c925041dde15aee2a71b943470af40fb16c0d9f80806ad7a812b659.dll
  2⤵
  - Modifies registry class
  PID:820

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads