71023c628a7394654b8e5274ef224241c8f34065ec1a8bcd377042f3b97a892f | Triage

Analysis

max time kernel
131s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 05:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MSAudDecMFT.dll
Size

450KB
MD5

75f27cadc8f1445fc7a6b10b038e9209
SHA1

b0af563706db9cc1b854ea192bfd97046047554c
SHA256

71023c628a7394654b8e5274ef224241c8f34065ec1a8bcd377042f3b97a892f
SHA512

6845745e1b8aa84238a2069d29a8e0cb3cd87c23bb6e76a6d6f39ec0d6085c3cecdc4b25489c69c520ab8afdff08ffb25e2d75f94164a51ff8cc88a39a230b66
SSDEEP

12288:qNtEjk1jwzKOQG3czEWpdxd0HIgLLisAVtE9xMJMjMbMoE2:qLxwGOQG3czjQHIgPjAVtE9xMJMjMbMV

Score

1^/10

Malware Config

Signatures

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\32d186a7-218f-4c75-8876-dd77273a8999	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32D186A7-218F-4C75-8876-DD77273A8999}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA922ED-0AB7-40A7-9E69-495984866A23}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\70707b39-b2ca-4015-abea-f8447d22d88b	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70707B39-B2CA-4015-ABEA-F8447D22D88B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70707B39-B2CA-4015-ABEA-F8447D22D88B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\9ea73fb4-ef7a-4559-8d5d-719d8f0426c7\32d186a7-218f-4c75-8876-dd77273a8999	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\9ea73fb4-ef7a-4559-8d5d-719d8f0426c7\70707b39-b2ca-4015-abea-f8447d22d88b	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32d186a7-218f-4c75-8876-dd77273a8999}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA922ED-0AB7-40A7-9E69-495984866A23}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\9ea73fb4-ef7a-4559-8d5d-719d8f0426c7	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA922ED-0AB7-40A7-9E69-495984866A23}\ = "Microsoft AAC Audio ReMuxer MFT"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2488	2308	regsvr32.exe	83
PID 2308 wrote to memory of 2488	2308	regsvr32.exe	83
PID 2308 wrote to memory of 2488	2308	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MSAudDecMFT.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\MSAudDecMFT.dll
  2⤵
  - Modifies registry class
  PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-0-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/2488-1-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download