bff57ccfbe2690d2b35717379b6c6902270dba122a8d508457124c073eaffd0e

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

objectps.dll
Size

32KB
MD5

f68ba4725d1aaf180ff33cf18d262c5e
SHA1

c80aa11dac0425dcc41e44a955036dbbb773cdc9
SHA256

dfb91bc980fd1267fb8032b0d36c72d08fca03bb723d895be481ae7d275174e4
SHA512

7aba373385f2d7a9d4bba03facc2df50bb1a644580fcfbfabab090bccc835b25c48a8432325d1bf380795e92a700e45a8615138a609e8848dc7f82c9b4cfdbc8
SSDEEP

192:wC7QKb0lcjICIpWBCaE0c2ALrk0z+gfJagCaUAgHFWSVDdHVHUCDznkwAzHks5:wrYhCYBWZzrzSeagGfHdDdJUOgss

Score

1^/10

Malware Config

Signatures

Modifies registry class 19 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\objectps.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ = "ISetupObjectClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "ISetupServiceProvider"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods\ = "6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2580	2056	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\objectps.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\objectps.dll
2⤵
- Modifies registry class
PID:2580

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads