9961869f01394fde9dbd52c89f1f4fc6bdf84f5516b0e21798b5b9f3835d07ea

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 06:21

Target

c011a30120b4e0cb28fb22537a912703.dll
Size

32KB
MD5

c011a30120b4e0cb28fb22537a912703
SHA1

59468ec09787ff3ef8e04d390b786e90ea0be8d9
SHA256

9961869f01394fde9dbd52c89f1f4fc6bdf84f5516b0e21798b5b9f3835d07ea
SHA512

67166510d218ef1453b510d3e3c17cf7f0d5b084ecf0b399fd448aa7684d0b4994dc6c1809bcad1f7babd2302032ec10112a4ead2562fbc909f97ecf66371be1
SSDEEP

384:cKHyno+kEoNdDytwHUgy4uytzjL/8p2Ym:ccAxVoNdyuUg3tzf8pY

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2524	L70000008.exe
2660	sfx560C.tmp

Loads dropped DLL 4 IoCs

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\L70000008.exe	regsvr32.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\ = "exe_in_dll 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c011a30120b4e0cb28fb22537a912703.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\HELPDIR	regsvr32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3012 wrote to memory of 3008	3012	regsvr32.exe	28
PID 3008 wrote to memory of 2524	3008	regsvr32.exe	29
PID 3008 wrote to memory of 2524	3008	regsvr32.exe	29
PID 3008 wrote to memory of 2524	3008	regsvr32.exe	29
PID 3008 wrote to memory of 2524	3008	regsvr32.exe	29
PID 2524 wrote to memory of 2660	2524	L70000008.exe	30
PID 2524 wrote to memory of 2660	2524	L70000008.exe	30
PID 2524 wrote to memory of 2660	2524	L70000008.exe	30
PID 2524 wrote to memory of 2660	2524	L70000008.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c011a30120b4e0cb28fb22537a912703.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\c011a30120b4e0cb28fb22537a912703.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\L70000008.exe
    "C:\Windows\System32\L70000008.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\sfx560C.tmp
      ™
      4⤵
      Executes dropped EXE
      PID:2660

\Users\Admin\AppData\Local\Temp\sfx560C.tmp

Filesize
6KB

MD5
1d4d0eb07ab71126e10c3d6f1d0a1fa0

SHA1
9f110179e4878e352fe837e050b9e883c83ff8e7

SHA256
17a9a978fdb0234abd67a00edb0cabe0df79cc7f33727cbe94cfc4defa89d877

SHA512
d76b6fcd437ae10847e034f8815b7fd1f0f0d48166398ddf1e1b373c708be3914bc9e0b603d6eaabc6375b63b809e976d22c29886a1f032e20277ebdf6beee43

Download Submit
\Windows\SysWOW64\L70000008.exe

Filesize
11KB

MD5
aec1935b5e6847b942284e380d23a3c9

SHA1
9b286d6da4ebdc0c9129cdf1144694824b340d70

SHA256
b60b0865a051430ceeb51b19bae00cd48675b5db83df55cd64939e5a115420e6

SHA512
b454649cac2eaabb56b4300b95f7fa4745043a83b6daedea2383bc0c01bfb722e79742a9cc46c75202c450f936bbc9a579f31200c230fe35cec43c33a3150c87

Download Submit