52d540967202aa6e2069dd94711f926ac68ca8f67e90740b8734033546c3148a

Analysis

max time kernel
118s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 17:17

Target

8ce53e440792c40f2b5f8c926337c379.dll
Size

64KB
MD5

8ce53e440792c40f2b5f8c926337c379
SHA1

7029f5d1a895ec9564a774c408c334fb25acca57
SHA256

52d540967202aa6e2069dd94711f926ac68ca8f67e90740b8734033546c3148a
SHA512

26717f84f262bfc94185dd42c44bc3ea0dd904422ed1e5c58c03d3f46d24876773bad519c9619ecce0c699ca52813b5e1f014a927286c5381a67465879a33f39
SSDEEP

768:+gySxDwCe4K+3tbtmVZIA/e65NE4eYoGc4JKkL0T3Mu/lWeuIKeunHeu/9Uguc7l:+4NS+dpmVc65Gahc4JKfMuraPhcuB

Score

1^/10

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ce53e440792c40f2b5f8c926337c379.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\ = "XInLink 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DD822A0-6C0C-45BC-9CBF-1C7B526C90BB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2980	regsvr32.exe
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2980	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28
PID 2708 wrote to memory of 2980	2708	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8ce53e440792c40f2b5f8c926337c379.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\8ce53e440792c40f2b5f8c926337c379.dll
  2⤵
  - Modifies registry class
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2980