Overview
overview
8Static
static
3ec4a958ab7...dd.exe
windows11-21h2-x64
8rptcache64.dll
windows11-21h2-x64
1rtfile32.dll
windows11-21h2-x64
1rtfile64.dll
windows11-21h2-x64
1rtinfo32.dll
windows11-21h2-x64
4rtinfo64.dll
windows11-21h2-x64
4screenhooks32.dll
windows11-21h2-x64
1scrnrcd32.dll
windows11-21h2-x64
1scrnrcd64.dll
windows11-21h2-x64
1sensinfo32.dll
windows11-21h2-x64
1sensinfo64.dll
windows11-21h2-x64
1setuphlpr.dll
windows11-21h2-x64
1shlext32.dll
windows11-21h2-x64
1shlext64.dll
windows11-21h2-x64
7siriuv32.dll
windows11-21h2-x64
1siriuv64.dll
windows11-21h2-x64
1sqlcipher32.dll
windows11-21h2-x64
3sqlcipher64.dll
windows11-21h2-x64
1sscanner32.dll
windows11-21h2-x64
1sscanner64.dll
windows11-21h2-x64
1ssleay32.dll
windows11-21h2-x64
1ssleay64.dll
windows11-21h2-x64
1swvv32.sys
windows11-21h2-x64
1swvv64.sys
windows11-21h2-x64
1swvv64_win7.sys
windows11-21h2-x64
1unrar32.dll
windows11-21h2-x64
3unrar64.dll
windows11-21h2-x64
1usbmgr32.dll
windows11-21h2-x64
1usbmgr64.dll
windows11-21h2-x64
1winpcap_inst.exe
windows11-21h2-x64
8workflow32.dll
windows11-21h2-x64
1workflow64.dll
windows11-21h2-x64
1Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 10:49
Static task
static1
Behavioral task
behavioral1
Sample
ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
rptcache64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
rtfile32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
rtfile64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
rtinfo32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
rtinfo64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
screenhooks32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
scrnrcd32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
scrnrcd64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
sensinfo32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
sensinfo64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
setuphlpr.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
shlext32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
shlext64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
siriuv32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
siriuv64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
sqlcipher32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
sqlcipher64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
sscanner32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
sscanner64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
ssleay32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
ssleay64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
swvv32.sys
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
swvv64.sys
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
swvv64_win7.sys
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
unrar32.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
unrar64.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
usbmgr32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
usbmgr64.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
winpcap_inst.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
workflow32.dll
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
workflow64.dll
Resource
win11-20240419-en
windows11-21h2-x64
General
-
Target
shlext32.dll
-
Size
522KB
-
MD5
162e9fef5dc86a75ff84dac041a1bb74
-
SHA1
9b7d649c21531e17e627423b9f1c2954f0649350
-
SHA256
10110faeea48c8dcf6ced83e0b7c0e4700bc33dd5ebb0d8bdb9492a274c091b5
-
SHA512
997b7efaf31222d8a9e80060cddeb70304ebe3d92e969808f111a37bd1d43b39646b4c74456520896f896a7b43f78e2f2b7a4bb070de4511a4bcf5c7effd5af8
-
SSDEEP
12288:NsHGkBa8NYE2JqRF56FcGbMr/KjylwHLPBzj0SqKyUJKbdQKH0uRftI3:NsHnl2JvbMrWylwHp05bdQKHf7I3
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shlext32.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shlext32.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243FE571-9597-4E21-9261-4DF793DBE86C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2\CurVer\ = "shlext.PoOverlayIcon2.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet\CurVer\ = "shlext.DtePropSheet.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3\CLSID\ = "{D4CA1384-016E-436C-970E-49E89C56D16C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\dteProp\ = "{940232A8-FAF8-4B70-A1C6-A0A184579DE2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3.1\ = "PoOverlayIcon3 Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243FE571-9597-4E21-9261-4DF793DBE86C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243FE571-9597-4E21-9261-4DF793DBE86C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\ = "IPoContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon3.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16A}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A274}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\poshlext\ = "{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{340A2687-D23B-4F55-968A-459C697CD02B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon\ = "PoOverlayIcon Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2\ = "PoOverlayIcon2 Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon2\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\ProgID\ = "shlext.PoOverlayIcon3.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{46D710BA-FB6A-4854-88C4-C9C6DF876C6A}\ = "shlext" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shlext32.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32B8169-BE6B-43AC-BE93-20D5BDD0A275} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{340A2687-D23B-4F55-968A-459C697CD02B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\ProgID\ = "shlext.PoOverlayIcon2.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16C}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AFAB9F9-59CA-4B59-BBA7-6E3C783FDEBD}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\poshlext regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet\CLSID\ = "{940232A8-FAF8-4B70-A1C6-A0A184579DE2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243FE571-9597-4E21-9261-4DF793DBE86C}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.PoOverlayIcon.1\ = "PoOverlayIcon Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\shlext.DtePropSheet\ = "DtePropSheet Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{940232A8-FAF8-4B70-A1C6-A0A184579DE2}\TypeLib\ = "{B32B8169-BE6B-43AC-BE93-20D5BDD0A275}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\dteProp regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9837E26-E9CA-48A0-9AF4-88804B91E316}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4CA1384-016E-436C-970E-49E89C56D16B}\VersionIndependentProgID\ = "shlext.PoOverlayIcon2" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2212 wrote to memory of 3024 2212 regsvr32.exe regsvr32.exe PID 2212 wrote to memory of 3024 2212 regsvr32.exe regsvr32.exe PID 2212 wrote to memory of 3024 2212 regsvr32.exe regsvr32.exe