Overview
overview
10Static
static
3dcdc99a71a...3b.exe
windows7-x64
10dcdc99a71a...3b.exe
windows10-2004-x64
10$TEMP/Part...ri.dll
windows7-x64
10$TEMP/Part...ri.dll
windows10-2004-x64
10$TEMP/what...60.dll
windows7-x64
1$TEMP/what...60.dll
windows10-2004-x64
1$TEMP/what...60.dll
windows7-x64
1$TEMP/what...60.dll
windows10-2004-x64
1$TEMP/what...60.dll
windows7-x64
1$TEMP/what...60.dll
windows10-2004-x64
1$TEMP/what...ps.dll
windows7-x64
1$TEMP/what...ps.dll
windows10-2004-x64
1$TEMP/what...ui.dll
windows7-x64
1$TEMP/what...ui.dll
windows10-2004-x64
1$TEMP/what...er.dll
windows7-x64
1$TEMP/what...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 07:58
Static task
static1
Behavioral task
behavioral1
Sample
dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$TEMP/PartiShikari.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$TEMP/PartiShikari.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$TEMP/whatnot/failure/cgi-bin/33.opends60.dll
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral6
Sample
$TEMP/whatnot/failure/cgi-bin/33.opends60.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/whatnot/failure/cgi-bin/69.opends60.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/whatnot/failure/cgi-bin/69.opends60.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$TEMP/whatnot/failure/cgi-bin/79.opends60.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
$TEMP/whatnot/failure/cgi-bin/79.opends60.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$TEMP/whatnot/failure/cgi-bin/edbgps.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$TEMP/whatnot/failure/cgi-bin/edbgps.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMP/whatnot/failure/cgi-bin/hxvzui.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMP/whatnot/failure/cgi-bin/hxvzui.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/whatnot/failure/cgi-bin/sbsdiasymreader.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/whatnot/failure/cgi-bin/sbsdiasymreader.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
$TEMP/whatnot/failure/cgi-bin/edbgps.dll
-
Size
26KB
-
MD5
2160b3e337a493ca6fe9c1a0cd8b7b82
-
SHA1
1a5cd9e540bce012ef88c4778d359a0c20cc2cc8
-
SHA256
234458831289380cecd07624c51dc31f97fa6d9f81ed29bbff17afb8a27332dc
-
SHA512
15e086800b71137c4e44cac4aab6a3289ea644bbe4c11a915ecfdf1000f67b8a9ac590b8aa894be5e660227c00a9a9e63d9c61dd7dd1e4908398ef889dfc0e02
-
SSDEEP
384:WV0a/hPqP4h1q8fJIlPPV0n64l6GGWkaQWW4u+R4Kyr:7EBKC64aaLK
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571}\ = "IEmbeddedConnectivityLayer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\ = "IEmbeddedSymbolProvider" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C5051BE6-804A-47B8-8FFE-2E80C41DE490}\NumMethods\ = "5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFFD432C-9154-4069-89EB-48DB8D38A4E8}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF7AA070-61A3-4167-87C1-D82D6A2CF8A6}\ = "IEmbeddedNativeDumpProcess" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED73A477-7B78-4150-B50F-1E8197C79AD0}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022}\ = "IEmbeddedObjectBinder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D}\NumMethods\ = "13" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E}\ = "IEmbeddedNativeProcess" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31B4892-9236-44DE-98DB-89AE61EF8685}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF7AA070-61A3-4167-87C1-D82D6A2CF8A6}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533}\ = "IEmbeddedRemoteCorDebugPort" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C0C734A-FC33-4EF2-B9EE-EFECB9B41B5F}\ = "IEnumFrameCallBack" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B715021-C455-4DAC-B154-D6DC8C5CDEAD}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1BF669A-48C5-44F9-A9B2-28585B6C1FE6}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537333ED-714D-408E-83D4-A8908A76E022} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C8E3A10-1F09-4E6B-929F-FC464C1CA6B2}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B4F8FD3-38A9-4087-8C82-2B52F275A571} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C8E3A10-1F09-4E6B-929F-FC464C1CA6B2}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C587BD8-A9B0-4C41-AF85-FF6A164D40E9}\NumMethods\ = "4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B843AD9-F235-4121-A0B1-DD766AF1A333}\ = "IEmbeddedDisassemblyStream" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299666F8-849F-474D-9368-707902441FB6}\ = "IEmbeddedRegisterHierarchy" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3C81844-B3CA-4BDC-9C5E-1B5CCEA0976B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93079278-5272-4EDA-BBE0-D16723DE2845}\ = "IEmbeddedExpressionEvaluator" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E94238-1B83-4223-BACD-F112B2E63168}\NumMethods\ = "4" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11D95AF6-D32C-425D-B060-2B573E46FB6D}\ = "PSFactoryBuffer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A17F2213-0FB6-4F25-BD47-34B95C2E4AEE}\ = "IEmbeddedRPCCallback" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{617AD585-925B-4891-80C2-67AA19A21A3B}\NumMethods\ = "7" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4E58998-5BED-4413-A082-813F064AB68D}\ = "IEmbeddedNativeRemoteLayer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1BF669A-48C5-44F9-A9B2-28585B6C1FE6}\NumMethods\ = "6" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8EEEFA6-7297-4A4E-A4C8-8BF188F9B533}\ProxyStubClsid32\ = "{11D95AF6-D32C-425D-B060-2B573E46FB6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8D33E4A-9A08-4E72-845F-7627A063115E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69A69350-671F-4FEC-8E84-5353BAAB806E}\ProxyStubClsid32 regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe PID 2908 wrote to memory of 1724 2908 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$TEMP\whatnot\failure\cgi-bin\edbgps.dll2⤵
- Modifies registry class