3da6828f8567c3cfbd3982484da2f94dd40f721a77fd46c624268cdb550c0035

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

oofile_1.47/FileTranDll.dll
Size

408KB
MD5

a31dd4781b44a0549eefb36486411e6d
SHA1

f5acf8f1b5f83852333f3c53d9fd65674d63a0d0
SHA256

a3d793d6ce0fe7b1fe7027a18f2214140328f852e8181ec2473e299259278cef
SHA512

8b441da9dcf22f76d6a2820f0015bf27946a4c7eb90a68921c7d9d9b27ae63713ca80cac7215d3639f0e0524060775b3d2f5d567d7c442a4dfad7990886c74a2
SSDEEP

6144:3sQjn73dGANUL678bQscMNS5r1FSrFz/BWPPP/QC8:RjBGAWPbQs41FeOAC8

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oofile_1.47\\FileTranDll.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server\CurVer\ = "FileTranDll.Server.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\ = "Client Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1\ = "Client Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection\CLSID\ = "{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\VersionIndependentProgID\ = "FileTranDll.Client"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\ = "Server Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\ = "FileTranDll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\ProgID\ = "FileTranDll.Connection.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oofile_1.47\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server\ = "Server Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\ = "Connection Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}\ = "IClient"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2960687-EC5E-4584-BEF9-EFC7D1D86112}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client\CLSID\ = "{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection.1\ = "Connection Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ = "IServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Connection.1\CLSID\ = "{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\VersionIndependentProgID\ = "FileTranDll.Connection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\ = "IConnection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}\TypeLib\ = "{80AECCA8-6A06-4BDF-8803-624E7CE96F56}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{058159F8-6BC7-4C6C-B620-2AD93A4DDB86}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{80AECCA8-6A06-4BDF-8803-624E7CE96F56}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60F52C71-FAB3-42A9-AA7D-5B6D0323E494}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Server.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39D227FE-B8D8-493D-B15C-A28DA094FDA2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4341B7-2043-4BA6-B8D2-CC3FDFA0C537}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FileTranDll.Client.1\CLSID\ = "{ECA96510-AEDA-4E7E-BFE2-06A257E2EBF3}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3156	2876	regsvr32.exe	85
PID 2876 wrote to memory of 3156	2876	regsvr32.exe	85
PID 2876 wrote to memory of 3156	2876	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\oofile_1.47\FileTranDll.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\oofile_1.47\FileTranDll.dll
  2⤵
  - Modifies registry class
  PID:3156

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads