66e9f4d03e67dbcbd9d3a13bfc45b2c11e712b677e990e8ea1b405b60a3a40b2

Analysis

max time kernel
1715s
max time network
1172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resources/DSKImageMenu.dll
Size

440KB
MD5

6e7ca785db2b43c45558ac7666a3413e
SHA1

c488648729538d312eb0f6114876e90336d3867b
SHA256

3a7f8b923eaf6ab54299ffcb03b0d33b09e52a5f2297b029b0f931c9896a7ca6
SHA512

1633e10d886d23604d8152a3299e6ed41658f5fff30ea581e2aee22695f010cda2059836c34135d67404026a30526a83f065b45cadf089180e623de253fcc2d8
SSDEEP

6144:WkkZ95yn2Yi1SkEXje4zqYrt1G3uS0JyWn7J16zPM7G6EB6:WR5yn2X1SkEzzrt1G3x0Z7Jh7G646

Score

1^/10

Malware Config

Signatures

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}\ProgID\ = "DSKImageMenu.Hetman Partition Recovery"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shell\Open\command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shell\Open\command\ = "\"\" \"dsk_file %1\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DSKImageMenu.Hetman Partition Recovery	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DSKImageMenu.Hetman Partition Recovery\ = "Mount to Hetman Partition Recovery"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DSKImageMenu.Hetman Partition Recovery\Clsid\ = "{CC3F9C94-A875-472A-BF45-9F1E8D660A91}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dsk\ = "Disk.Image.File"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shell\Open	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}\ = "Mount to Hetman Partition Recovery"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Resources\\DSKImageMenu.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DSKImageMenu.Hetman Partition Recovery\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shellex\ContextMenuHandlers\Hetman Partition Recovery\ = "{CC3F9C94-A875-472A-BF45-9F1E8D660A91}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC3F9C94-A875-472A-BF45-9F1E8D660A91}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dsk	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Disk.Image.File\shellex\ContextMenuHandlers\Hetman Partition Recovery	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 692	1468	regsvr32.exe	86
PID 1468 wrote to memory of 692	1468	regsvr32.exe	86
PID 1468 wrote to memory of 692	1468	regsvr32.exe	86

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Resources\DSKImageMenu.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\Resources\DSKImageMenu.dll
  2⤵
  - Modifies registry class
  PID:692

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads