483bd7390f4b5a48497b6a1bba163c5b239f413b8fd8e9d901d0793c83b9be8e

Analysis

max time kernel
1518s
max time network
1511s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2024, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apps/VBCCR17.dll
Size

5.3MB
MD5

e7aaa82f0a491fe4cf7603038758af41
SHA1

cbff47d3ee71ce3b73f5e8c9be6582711bc370f5
SHA256

b8d73bc915d8c617204979588f788f5dcd90d30df026afe9bde5fe3c39e36dcc
SHA512

23cf3281cf4f7dda81fea92570dade07962cb01c7bd65d3be416d9a684b27c315699962c16f5842fc3fe35a5fd67c1faf93decc9e6f9191304ebd0eb2b2e4163
SSDEEP

98304:fSEb13WlsSTkxAyij5+MUtBV2LFSgTKBc4m9cXZJQ2fL:fXb13WlsSTkx5ij5+MUtBV2LFSsKBc4n

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45DB3E16-2B96-4455-9ADE-121D551AA552}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85D3B2DD-E556-46EC-9628-D2BBD6ED09FA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79CBB947-4387-4773-A5FE-1AA94FDB521F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1C5EDE8-D1D2-478C-8A68-CA5E432F4E33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54D9F036-7680-4662-8522-80A6248F6152}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apps\\VBCCR17.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9A1CFDD-5731-41AE-9459-7D63AB950674}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94D42D0F-5619-49DB-9C15-C2513ACCCD4D}\ = "_ImcComboItems"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C86F4D4-4C96-4C19-A233-93184BF8D376}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A94BA123-00C7-46DA-B871-145123A3CC75}\ProgID\ = "VBCCR17.ImcComboItem"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{137B5FC4-C8D2-4402-B080-45B20C268C93}\ = "CbrBand"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{317589D1-37C8-47D9-B5B0-1C995741F353}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C71F6A11-472D-4F3A-9E61-EED909D53558}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF81810B-F8A9-4F64-8AAB-62429CB95C43}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EEADA92-798C-48D7-9E59-85E01069D475}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F09B4E7-6741-4B80-8A25-0542D96AEB60}\ = "__DTPicker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8914F35-AE39-4FF4-B275-FE504072D0E9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{050422A7-ADD9-4EE5-A6A2-B5E203E4FB0D}\ = "__TreeView"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{280849D4-0505-4D0B-BB54-1696E763890E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B8A1D1B-D28F-4F82-B2FC-F395F3D931B5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apps\\VBCCR17.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F43DFAB0-F5E0-4DC0-A896-F06DEDE22940}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86F0D911-EA8D-424D-989B-9A25727AB08F}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E93DA99-1F35-4958-9A77-91409C295511}\ = "VBCCR17.PPImageListGeneral"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87E86E99-BC21-4BF5-A8A5-D97FFE35195A}\ = "__OptionButtonW"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{07634335-20A0-40DD-BBE0-D29FE3A29B62}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBCCR17.SbrPanelProperties\ = "VBCCR17.SbrPanelProperties"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FC03CEE-DEAE-40EE-8D71-1FCEB22DD778}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBCCR17.LvwGroups\Clsid\ = "{C5CE90CB-5399-4291-86D8-F98715C094F5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BD27D65-D9AB-48FE-9B5C-9C5A7E6C56FC}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F460F2D5-8BD3-4B5D-8E5F-4424DCD4BF22}\ = "_OptionButtonW"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F62D5FA5-CA7C-457C-9BA4-DA0BDC7DF6A2}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{229029CF-623E-4CFF-9004-04F442B94BFF}\ProgID\ = "VBCCR17.MonthView"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E25624A-54CE-4CCD-AFA1-C32862E7977B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98F27383-CBE6-4C24-876F-AB865939B821}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apps\\VBCCR17.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C03FF81F-C85A-426D-9244-8A4C3FCBF6FF}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E11D110F-48DE-49AE-9F9E-8E0C3075272B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C08F8DB0-B651-4697-AF27-51A5C606041E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B9F30C33-7F14-446D-8100-42FD61237D0F}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AADB6ACF-53F1-49F4-A564-F2944ECDFC0C}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBCCR17.LvwColumnHeader\Clsid\ = "{01B7E1C3-E6BF-4F84-851D-3BBC9848E79D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{872A2FB0-B973-473D-9D1E-E79A80AA3632}\ = "_CommonDialog"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C03FF81F-C85A-426D-9244-8A4C3FCBF6FF}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1B556DA-C383-42CC-A064-6125AAFC0CB4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C766FCE-DCD9-441C-A85D-6F3D8F44F541}\ = "TbrButton"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B9F30C33-7F14-446D-8100-42FD61237D0F}\TypeLib\ = "{317589D1-37C8-47D9-B5B0-1C995741F353}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{43304640-DD49-43FD-B702-1DBF2F145FDC}\TypeLib\ = "{317589D1-37C8-47D9-B5B0-1C995741F353}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CF72141-7BF6-4EBC-8272-459FBE2E2DFE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F460F2D5-8BD3-4B5D-8E5F-4424DCD4BF22}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9217418-43E3-4D9A-B460-6AFBFD4F8DDD}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5EC0F6F-9951-4889-A26B-AB86EC409BA6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{350904B2-D309-4BCF-B2CC-9D6D1ACC9276}\ = "VBCCR17.PPCoolBarGeneral"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9A1CFDD-5731-41AE-9459-7D63AB950674}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01860F46-CCE6-455C-BB1A-8C89191E2F64}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B9F30C33-7F14-446D-8100-42FD61237D0F}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1C5EDE8-D1D2-478C-8A68-CA5E432F4E33}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A54AC5BE-C889-4F5C-BB83-76F352BD164D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A54AC5BE-C889-4F5C-BB83-76F352BD164D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96091F1A-B7B6-42C1-B201-C0DCA0727CF9}\ = "StatusBar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F82A18B5-8219-4378-9E1F-00C57E18A242}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFF410D3-0C9B-497B-A807-090B555E35BE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82A7650A-CAE0-4D81-AC2C-101D0D5E6A02}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F62D5FA5-CA7C-457C-9BA4-DA0BDC7DF6A2}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EE0BE80C-ED75-4206-8E7D-AC8A48FD5138}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C3D778-B70E-4C4E-A035-0059AF54CD4E}\ = "CommandLink"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBCCR17.CommonDialog	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 2216	3516	regsvr32.exe	81
PID 3516 wrote to memory of 2216	3516	regsvr32.exe	81
PID 3516 wrote to memory of 2216	3516	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\apps\VBCCR17.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\apps\VBCCR17.dll
  2⤵
  - Modifies registry class
  PID:2216

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads