ceb4cfc1e630a76d715d87fdace538e1afa509530a89d8f1b972ee813f22651e

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
24/11/2023, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceb4cfc1e630a76d715d87fdace538e1afa509530a89d8f1b972ee813f22651e.dll
Size

938KB
MD5

299bb4679908349f3b234c19ba5c1586
SHA1

3709169ba68af7d443d7cce72a63b39f92a4c8c2
SHA256

ceb4cfc1e630a76d715d87fdace538e1afa509530a89d8f1b972ee813f22651e
SHA512

90644533e0bed1a2774eca59f1649213847681f96f31be322adeef7482e7830e4d4bf11d7cccdee19089015c534c3b56dcced3ece71ab3f4db2006e59069bb3a
SSDEEP

12288:52p4wNbIEcWWQ1tPY7pXMW3fvVwPKaDcTdHxqHEEEEEEEEEEEEGEEEEEEGYQsi:/wNsEj1tQ7pcW33V8H4dQ/

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B095}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B088}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B095}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B096}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B098}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B092}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B089}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B093}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B090}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B092}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ceb4cfc1e630a76d715d87fdace538e1afa509530a89d8f1b972ee813f22651e.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open2\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B093}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\ = "JScript Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B092}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B094}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B089}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B099}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B089}\TypeLib\ = "{3EEF9759-35FC-11D1-8CE4-00C04FC2B085}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B099}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B098}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9759-35FC-11D1-8CE4-00C04FC2B085}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B094}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B086}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B086}\ = "GlobalObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B086}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09B}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B0A0}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Edit	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B095}\ = "BoolInstance"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B096}\ = "NumberInstance"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B09C}\TypeLib\ = "{3EEF9759-35FC-11D1-8CE4-00C04FC2B085}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B0A0}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B097}\ = "ObjectInstance"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B098}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B090}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B097}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B092}\ = "ArrayInstance"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B086}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B096}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B097}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Edit\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B086}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B087}\ = "DateObj"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28
PID 1804 wrote to memory of 2136	1804	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ceb4cfc1e630a76d715d87fdace538e1afa509530a89d8f1b972ee813f22651e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ceb4cfc1e630a76d715d87fdace538e1afa509530a89d8f1b972ee813f22651e.dll
  2⤵
  - Modifies registry class
  PID:2136

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads