583b76e32b23f0242c126d92321e13df0b5df8dc735a15fa70adab7f045d5f70

Analysis

max time kernel
136s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2023, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

583b76e32b23f0242c126d92321e13df0b5df8dc735a15fa70adab7f045d5f70.dll
Size

453KB
MD5

92a4674dceb6cb021735b4f72bf71828
SHA1

860bb79ea4aedd2d91937bb6b2552e3f5e202576
SHA256

583b76e32b23f0242c126d92321e13df0b5df8dc735a15fa70adab7f045d5f70
SHA512

f55126b610978e927c26a846f0e5871c3a04b4484e8beeb0b7b938e5855fd808a1d3313c02e1a19216541453af3d1fd9ad44392664f8049d38f0eb6084d46126
SSDEEP

3072:w3cMTTxCBnMrrBf0wis1g68Cgi3qDt1GGPdEFTmFP7k5R1Nh+gwPk86mX5MHqkpr:GtTB0wis+68nmqDt1G1FkK4gazXUknkp

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ = "GlobalObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib\ = "{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib\ = "{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\ = "VB Script Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers\WSHProps	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ = "VBScript Script File"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "\"C:\\Windows\\system32\\notepad.exe\" %1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB2-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine\ = "VBScript"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\ = "Open"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\ = "Microsoft VBScript Globals"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB1-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB1-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS\ = "VB Script Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\DropHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB2-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\ = "VB Script Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB0-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ = "ErrObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp\ = "VBScript Regular Expression"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command\ = "\"C:\\Windows\\system32\\notepad.exe\" /p %1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript\ = "VB Script Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB0-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode\ = "VB Script Language Encoding"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "\"C:\\Windows\\system32\\cscript.exe\" \"%1\" %*"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 2092	4704	regsvr32.exe	89
PID 4704 wrote to memory of 2092	4704	regsvr32.exe	89
PID 4704 wrote to memory of 2092	4704	regsvr32.exe	89

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\583b76e32b23f0242c126d92321e13df0b5df8dc735a15fa70adab7f045d5f70.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\583b76e32b23f0242c126d92321e13df0b5df8dc735a15fa70adab7f045d5f70.dll
  2⤵
  - Modifies registry class
  PID:2092

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads