fc6d3cd59588db62afcd01140526c1b6ce6a5bf801079da62d228371457ad93f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

EV去除录屏检测工具v2.81/EV去除录屏检测工具v2.81/RegDll.dll
Size

24KB
MD5

e29d9a912204844df5306ca3935b1f1c
SHA1

19ba6440827ad2ac515aeb6c8700fbb4c896e61c
SHA256

3453bb9b4550dd5a51a64c3d2d25f1b49744b05ac740c57f2dd9f89084811318
SHA512

9229d5c845eeb36cd293e8d998aca63ed14f41b43d7d11da8682ede4d24853eff19bf0801b8ab055d50c849be7cbf94b890a672d90b55eec5019cebf98925a3a
SSDEEP

96:Q+fvNT4ui9YFfZVS7pxN3LusGOKmzXyUo2SZjvnEkWRA5mJL4DwdQTDut9Zdn0K/:TcYbM1H3ysce2NEkWCG4DoQTD0d0+

Score

1^/10

Malware Config

Signatures

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll\CLSID\ = "{34531331-126E-4FC8-B430-1C6143484AA9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll\ = "QMPlugin.RegDll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.RegDll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\ProgID\ = "QMPlugin.RegDll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EV????????v2.81\\EV????????v2.81\\RegDll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16
PID 1212 wrote to memory of 1700	1212	regsvr32.exe	16

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EV去除录屏检测工具v2.81\EV去除录屏检测工具v2.81\RegDll.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\EV去除录屏检测工具v2.81\EV去除录屏检测工具v2.81\RegDll.dll
  2⤵
  - Modifies registry class
  PID:1700

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads