e6d5f795663afb1d9126c22c268c02c0188cf6ce5ec6a010fdce60016e34f986

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/01/2024, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63f34029f0db1becaacc8aa7fa9ced0f.dll
Size

170KB
MD5

63f34029f0db1becaacc8aa7fa9ced0f
SHA1

3e32d560ff86bcc8355c69db95477d569f61c063
SHA256

e6d5f795663afb1d9126c22c268c02c0188cf6ce5ec6a010fdce60016e34f986
SHA512

6d99bb854bacd92f8078387301ff9cb919879071bf330544f73fe910e3fc467fd4cf5fd39312fef000dc1f2e340d76970fb20db196c3bf63fed6bc415d3362fa
SSDEEP

3072:7yaH6nBhYZHoQPOWlh+O5iuDgNI9c4CwShRLgB8mTg:7ya4YNP2WlhlDILxmU

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}	regsvr32.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\63f34029f0db1becaacc8aa7fa9ced0f.msiess\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\63f34029f0db1becaacc8aa7fa9ced0f.msiess\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\63f34029f0db1becaacc8aa7fa9ced0f.msiess\Clsid\ = "{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63f34029f0db1becaacc8aa7fa9ced0f.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\63f34029f0db1becaacc8aa7fa9ced0f.msiess	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}\ProgID\ = "63f34029f0db1becaacc8aa7fa9ced0f.msiess"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DEB896-7C4A-4E50-BDED-BC5086A34EB0}\	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28
PID 2236 wrote to memory of 1048	2236	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\63f34029f0db1becaacc8aa7fa9ced0f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\63f34029f0db1becaacc8aa7fa9ced0f.dll
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads