22e5e61949594ce649971b896954c58495c9ea286d9c754323f0c09ee8a4dc62

Analysis

max time kernel
147s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fc8120527a0c9e1dd7cf9094c174ee9.dll
Size

646KB
MD5

5fc8120527a0c9e1dd7cf9094c174ee9
SHA1

13243b9157ced3c6ccf1ed2f6d1639eea79692e2
SHA256

22e5e61949594ce649971b896954c58495c9ea286d9c754323f0c09ee8a4dc62
SHA512

c5938683f33206714cfce2022a8eb2e78ef03acecd8a5be7b7d1d081a4d745b09914d9e1ab611303e6b3fe9fbd3ae13464d31153bc2ab993ddab1f7604549ae4
SSDEEP

6144:La8zDRhE3qubQqZiyVmLAVPY/pUgUrhqWrRHyDz7+gedJiYksrosWixu/1mqEm6N:lz9hE3yqZ5VvnoWrQmvBksNSSzA

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4548-0-0x00000000001A0000-0x00000000001C0000-memory.dmp	upx

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5fc8120527a0c9e1dd7cf9094c174ee9.ExecuteHookWebPV1005\ = "Webhook1005PV"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5fc8120527a0c9e1dd7cf9094c174ee9.ExecuteHookWebPV1005\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5fc8120527a0c9e1dd7cf9094c174ee9.ExecuteHookWebPV1005\Clsid\ = "{58826D8F-D0BB-4A05-A413-4585F3D0911A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5fc8120527a0c9e1dd7cf9094c174ee9.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5fc8120527a0c9e1dd7cf9094c174ee9.ExecuteHookWebPV1005	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}\ProgID\ = "5fc8120527a0c9e1dd7cf9094c174ee9.ExecuteHookWebPV1005"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58826D8F-D0BB-4A05-A413-4585F3D0911A}\ = "Webhook1005PV"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4548	4064	regsvr32.exe	12
PID 4064 wrote to memory of 4548	4064	regsvr32.exe	12
PID 4064 wrote to memory of 4548	4064	regsvr32.exe	12

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5fc8120527a0c9e1dd7cf9094c174ee9.dll
1⤵
- Modifies registry class
PID:4548

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5fc8120527a0c9e1dd7cf9094c174ee9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4548-0-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads