48a72070d0c5310035685b78c198b0c4ec2a6b1063c066f67b72b18f5523cff4

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XCEEDZIP.dll
Size

445KB
MD5

044beba65ba31e1ca1ffc8cbbef78f3e
SHA1

55731a6c5043ad4e43735ee8434767953e562f71
SHA256

ccfd6be91993d92e95ed4552b9a0d62660eb675248175621286cf4133d5140f2
SHA512

802f7aef54e7965b83a12baf343bc8a4a84021aab918bb3bfa02d1f7447da7360e52313036559203620affdb30bc2f05582d04eabf796777aff1100f8d5f427c
SSDEEP

6144:1H96ZSSne+U5r7LFMp2Yuoi+Z9f/5AbghXyWGBSf07HXttgjxpWApI7f7:1dzSHUR7quo6utGBSf07wIr7

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\Verb	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77243A10-00F3-11D5-802D-0060082AE372}\TypeLib\ = "{DB797681-40E0-11D2-9BD5-0060082AE372}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05D56700-EB90-11D2-A5CD-00105A9C91C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\Verb\1\ = "Free &Support, 0, 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}\5.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD1-B692-11D4-BFE3-0060082AE372}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77243A10-00F3-11D5-802D-0060082AE372}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB797691-40E0-11D2-9BD5-0060082AE372}\TypeLib\Version = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99C11080-CD22-11D4-BFFA-0060082AE372}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedZip\CLSID\ = "{DB797690-40E0-11D2-9BD5-0060082AE372}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD0-B692-11D4-BFE3-0060082AE372}\TypeLib\ = "{DB797681-40E0-11D2-9BD5-0060082AE372}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C836511-BB70-11D2-A5A7-00105A9C91C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05D56700-EB90-11D2-A5CD-00105A9C91C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB797691-40E0-11D2-9BD5-0060082AE372}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedZip\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAA1401E-3F5F-47A4-870B-431D602D2488}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB79768F-40E0-11D2-9BD5-0060082AE372}\TypeLib\ = "{DB797681-40E0-11D2-9BD5-0060082AE372}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07189400-00F2-11D5-802D-0060082AE372}\TypeLib\ = "{DB797681-40E0-11D2-9BD5-0060082AE372}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC4831F-8C1F-434E-9F80-7F1B5B0036E0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC4831F-8C1F-434E-9F80-7F1B5B0036E0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\ = "Xceed Compression Control v5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB79768F-40E0-11D2-9BD5-0060082AE372}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C836511-BB70-11D2-A5A7-00105A9C91C6}\TypeLib\Version = "5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\VersionIndependentProgID\ = "XceedSoftware.XceedCompression"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0CECD40-EB84-11D2-A5CD-00105A9C91C6}\TypeLib\Version = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC4831F-8C1F-434E-9F80-7F1B5B0036E0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC4831F-8C1F-434E-9F80-7F1B5B0036E0}\TypeLib\Version = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77243A10-00F3-11D5-802D-0060082AE372}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99C11080-CD22-11D4-BFFA-0060082AE372}\TypeLib\Version = "5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedZip\ = "Xceed Zip Control v5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\ProgID\ = "XceedSoftware.XceedCompression.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0CECD40-EB84-11D2-A5CD-00105A9C91C6}\ = "IXceedZip__0401"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07189400-00F2-11D5-802D-0060082AE372}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD2-B692-11D4-BFE3-0060082AE372}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\MiscStatus\1\ = "132497"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{07189400-00F2-11D5-802D-0060082AE372}\ = "IXceedZip__0405"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD1-B692-11D4-BFE3-0060082AE372}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedCompression\ = "Xceed Compression Control v5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0CECD40-EB84-11D2-A5CD-00105A9C91C6}\ = "IXceedZip__0401"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07189400-00F2-11D5-802D-0060082AE372}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD1-B692-11D4-BFE3-0060082AE372}\ = "IXceedZipItem__0405"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C836511-BB70-11D2-A5A7-00105A9C91C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C836511-BB70-11D2-A5A7-00105A9C91C6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99C11080-CD22-11D4-BFFA-0060082AE372}\ = "IXceedCompression__0402"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XCEEDZIP.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD0-B692-11D4-BFE3-0060082AE372}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB797691-40E0-11D2-9BD5-0060082AE372}\TypeLib\Version = "5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB797691-40E0-11D2-9BD5-0060082AE372}\TypeLib\ = "{DB797681-40E0-11D2-9BD5-0060082AE372}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}\5.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAA1401E-3F5F-47A4-870B-431D602D2488}\TypeLib\Version = "5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31C2DDD0-B692-11D4-BFE3-0060082AE372}\TypeLib\Version = "5.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99C11080-CD22-11D4-BFFA-0060082AE372}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\ProgID\ = "XceedSoftware.XceedZip.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB79768F-40E0-11D2-9BD5-0060082AE372}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31C2DDD2-B692-11D4-BFE3-0060082AE372}\ = "IXceedZipItems"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31C2DDD2-B692-11D4-BFE3-0060082AE372}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}\Version\ = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedCompression\CLSID	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27
PID 1704 wrote to memory of 2980	1704	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\XCEEDZIP.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\XCEEDZIP.dll
  2⤵
  - Modifies registry class
  PID:2980

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads