ada0b61a044866751911a6f6902a802d327b775025cc715d8b2e0bc0bfd0ef1a

Resubmissions

30/01/2024, 20:29

240130-y9r65sddem 10

27/01/2024, 22:52

240127-2tmhhafgbq 5

27/01/2024, 22:49

240127-2r7ewsffgq 7

Analysis

max time kernel
144s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
27/01/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ptusredt.dll
Size

165KB
MD5

3c3e960d59cb413791fee1e944b6df72
SHA1

4aa6c90d81692642ca8266bf0d8e249ff3e3ad54
SHA256

88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
SHA512

85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac
SSDEEP

3072:Ze0HJrRJW9+tjxQGsfzeV0YuNmu5uWj5ONq/1epLcv60H9+v:8SrRJGeNsry0hmuqRoy0H9u

Score

1^/10

Malware Config

Signatures

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\ = "UserNameHolder Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\VersionIndependentProgID\ = "UserEditHelp.UserNameHolder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\CLSID\ = "{E8D0CE8D-BC70-4025-978F-E86068362730}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ = "UserNameHolder Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\TypeLib\ = "{A15A1C00-9788-44D9-AA0A-723F170887CF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ptusredt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\ = "UserEditHelp 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\ = "UserNameHolder Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CLSID\ = "{E8D0CE8D-BC70-4025-978F-E86068362730}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ProgID\ = "UserEditHelp.UserNameHolder.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ptusredt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder\CurVer\ = "UserEditHelp.UserNameHolder.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UserEditHelp.UserNameHolder.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E8D0CE8D-BC70-4025-978F-E86068362730}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A15A1C00-9788-44D9-AA0A-723F170887CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4652	1404	regsvr32.exe	79
PID 1404 wrote to memory of 4652	1404	regsvr32.exe	79
PID 1404 wrote to memory of 4652	1404	regsvr32.exe	79

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ptusredt.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ptusredt.dll
  2⤵
  - Modifies registry class
  PID:4652

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads