9b1becaae353cfed426aac596fdaee9a343dffbdae42e3be55f245cd16be4b6a

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 11:27

Target

AddrImportHelper.dll
Size

40KB
MD5

49dcc6a6ed57518d1a7dbf9505856948
SHA1

4bff8e6a7d04b5a73537f0173d6d73d880904c9e
SHA256

aae69b62209d7a130ae2b7380330ac3d436c7051984caecd5af24b406b1fa528
SHA512

47dced8d10e350eca5836492232006d85570bcf9aec213e7c093c7829702f1d67a6a30595fec4ad589ba1e3b6c544ce17d4577f0f570e2faf5e59770b3392db3
SSDEEP

384:qm/mR3tJ6dfAFTDXZPD5wX1QXSjFenRLQhnCzZ7Qtc37dRxOzQk:5/mRKxApXr0OXSeRsCzZ7737dRxOM

Score

1^/10

Modifies registry class 10 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{485E3556-4D4A-45AC-8851-5ACE8F18A492}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{485E3556-4D4A-45AC-8851-5ACE8F18A492}\ = "AddrImportHelperLib.AddrImportHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddrImportHelperLib.AddrImportHelper\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{485E3556-4D4A-45AC-8851-5ACE8F18A492}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{485E3556-4D4A-45AC-8851-5ACE8F18A492}\ProgID\ = "AddrImportHelperLib.AddrImportHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{485E3556-4D4A-45AC-8851-5ACE8F18A492}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ADDRIM~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddrImportHelperLib.AddrImportHelper	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddrImportHelperLib.AddrImportHelper\ = "AddrImportHelperLib.AddrImportHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddrImportHelperLib.AddrImportHelper\CLSID\ = "{485E3556-4D4A-45AC-8851-5ACE8F18A492}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{485E3556-4D4A-45AC-8851-5ACE8F18A492}\InProcServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2868 wrote to memory of 4900	2868	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 4900	2868	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 4900	2868	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AddrImportHelper.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AddrImportHelper.dll
2⤵
- Modifies registry class
PID:4900