7baee4865977ff4f27860b62fe2f5e8e7c3436a29979365aa1d38449f86d20b0

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RPC GUI v2 - r3L4x.exe
Size

698KB
MD5

8c279f69600276fb49bd015e6d2f0478
SHA1

fb081a5bb9b56c19942f9ec522d3ee8f527b192a
SHA256

99b52568b67a6860f0bcc50458fa33f0915d1a5ee4deb254e8117f4ad72fc2d6
SHA512

95aaf5cec62739cb80230bea3b3af56b9eb3c9dce64be54ca0a33166c1b6cf9f587e10840506cba3914474b5f4f21d8ff50e7c88c1d1dfd17bf8d4e2eca833cb
SSDEEP

12288:VJefOmYSkETTh2h+ZhNreVfwBUC3xWu4JH9edFNOTIj7Vuwg:tmf2hQt04BUqxWz4dvOh

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe
2752	RPC GUI v2 - r3L4x.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	RPC GUI v2 - r3L4x.exe
File opened for modification	C:\Windows\SysWOW64\actskin4.ocx	RPC GUI v2 - r3L4x.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\ProgID	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\TypeLib\Version = "1.0"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\MiscStatus\1	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\VersionIndependentProgID	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DCD2BC5-8489-48AE-891F-90C8B2F19F56}	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SkinAddOn.SkinPlasma.1\CLSID\ = "{762EC429-1A5D-4AB8-844A-9A552E1241DA}"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\InprocServer32\ThreadingModel = "Apartment"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\MiscStatus\ = "0"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}\TypeLib	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\ProxyStubClsid32	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}\ = "ISkinLabel"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel.1\ = "SkinLabel Control"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}\TypeLib	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin.1\ = "ActiveSkin Control"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin\CLSID	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\ProgID\ = "ActiveSkin4.Skin.1"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC22770D-3343-4C56-8A8D-3E560475F655}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskin4.ocx"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\MiscStatus\1\ = "132497"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A506EF88-9EFC-4522-BFE1-A8E886A64D80}\TypeLib	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D502D4A3-03E6-4EAE-A14E-69606CA63430}\ = "SkinScrollBar Object"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel\CLSID	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762EC429-1A5D-4AB8-844A-9A552E1241DA}\TypeLib	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\actskin4.ocx, 119"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin\CurVer\ = "ActiveSkin4.Skin.1"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\InprocServer32\ThreadingModel = "Apartment"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\MiscStatus	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SkinAddOn.SkinPlasma\CLSID\ = "{762EC429-1A5D-4AB8-844A-9A552E1241DA}"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5704C37-40DA-49EF-904B-97E5F5F9B1C5}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskin4.ocx"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DCD2BC5-8489-48AE-891F-90C8B2F19F56}\ = "SkinForm Object"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762EC429-1A5D-4AB8-844A-9A552E1241DA}\ProgID	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel\CLSID\ = "{5954EA75-9BFA-461A-BD34-CEA3A861FF19}"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel\CurVer	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B87799AF-2CE9-4DAA-93CF-65F002035369}\InprocServer32\ = "C:\\Windows\\SysWow64\\actskin4.ocx"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\ = "ISkin"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}\409 = "ActiveSkin Objects"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\verb\3\ = "&Edit Skin,0,2"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\verb\5	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\Programmable	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\verb\2\ = "&Save Skin,0,2"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52C01A76-19E2-4A50-AE8A-38FFBCCF9182}\InprocServer32\ThreadingModel = "Apartment"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762EC429-1A5D-4AB8-844A-9A552E1241DA}\InprocServer32	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\actskin4.ocx"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5704C37-40DA-49EF-904B-97E5F5F9B1C5}\ = "SkinImage Object"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\Implemented Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B87799AF-2CE9-4DAA-93CF-65F002035369}\Implemented Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}\1.0\FLAGS\ = "0"	RPC GUI v2 - r3L4x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}	RPC GUI v2 - r3L4x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}\TypeLib\Version = "1.0"	RPC GUI v2 - r3L4x.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	RPC GUI v2 - r3L4x.exe

C:\Users\Admin\AppData\Local\Temp\RPC GUI v2 - r3L4x.exe
"C:\Users\Admin\AppData\Local\Temp\RPC GUI v2 - r3L4x.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\actskin4.ocx

Filesize
142KB

MD5
67078bed075051569e6575564434b27a

SHA1
4ec412cf69f3142d5f083989e0160cf5d990bad8

SHA256
4f5649e59b0b57cae1d7788c1d67d001cecaa1fe7de0273242a90d5dff1f037f

SHA512
47f3e3cf2787a8cf4292c51faa573756c2c42effd9dbaeb9ab9594761596c9c82c6b1827f5c271b1dec2a6e51e0cb02d4a4cc7dc5c8e6c6c58e63859ad797304

Download Submit
\Windows\SysWOW64\actskin4.ocx

Filesize
202KB

MD5
1851200f84c737ad7bbfac084786cb10

SHA1
01a2c2a6e1656049d97efd642e08dfcd51378be3

SHA256
70976531125fea369b5d0648d1509cf628802c5553ecec79e8d2a9bc1860b60e

SHA512
7ff37bb9bba1e9870319b3fabaf8e298f5c5a1544e09b4aaba07c87af5e26c63fbead312807510a5ad19ed85bf08848dcbaa8ae6a548a0c57ea10bf2e3258c22

Download Submit
\Windows\SysWOW64\actskin4.ocx

Filesize
368KB

MD5
ca119230812eeee66a5276a8b752f757

SHA1
38152e3b281d9a35a437686dbfbfb79762c34959

SHA256
181679c7a51abcf02c3fda661b1f9035f0bfe9dbde4e6ed503dd3a6ad6a59fea

SHA512
2543b9f192854fb7da7c221cfa9b6c5aefa54dc902f08af13e240dab1687be2e3eb379b44508f1e900a8fa1b9a05089c1e59af1d6b97c9706233844ebcbf36ad

Download Submit
\Windows\SysWOW64\actskin4.ocx

Filesize
276KB

MD5
92cd59c926376c8c7a43623196e9771c

SHA1
99a7e140d5baa94abab7f80d6804598bf8cffad5

SHA256
3ef4587a97aabea80a569d423cfff96b9015afa2b3b59d599b5e38b0a8a6748b

SHA512
7ffbfa19486bc91c38348e396ce33cf0312c99c7c05d4842276dd22c31b3466ef1742557d3071a61b98d3790202e9f8693a62c14aae5bcb9c8406cbe34c28032

Download Submit
\Windows\SysWOW64\mswinsck.ocx

Filesize
97KB

MD5
1bfa2aed585d6d56f2178963844a801b

SHA1
2c4c65772c9cd240157e63d51a5dd10f6a8f7eb8

SHA256
bfde3ad23099072c7ca2622fd38b41db5300001651c59b1898a39eae348e8311

SHA512
af8bef3e354a0b0efb702dcc79a5ec1bb4eff54afd1d57f2be8f1e8f1f4931670c75fdbfd6705cd31b1007abf892b789fcbcbb61e1870bef14c87265cae3c50e

Download Submit
\Windows\SysWOW64\mswinsck.ocx

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
memory/2752-0-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2752-11-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2752-15-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2752-25-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads