78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60

General

Target

78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll
Size

327KB
MD5

0c30edd3251f1b2c9a60c16d8b543914
SHA1

6473905dbc9ce63ffdf8c3ce82c8e564fa5d2cd7
SHA256

78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60
SHA512

fd3c9e3f4c4dd850944e2c9fa33008f0468dd88f95dba21b14499b626933aef6c460b36388288e653dc6d2bbdd1fcd9b9397bd259a572c00b6090ebbbb8e15b9
SSDEEP

6144:paatUssGoOB/9+FAqE6VoZpdpwUlVioY0bIiL5VXyK6uHOD0:pa2shOqoZpnVlV3lVX/f+0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2908 regsvr32.exe

pid	process
2908	regsvr32.exe

Modifies registry class 50 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\NumMethods\ = "3"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ProxyStubClsid32\ = "{17F2E344-8227-4AA7-A25A-E89424566BBA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\DisplayName = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll,-101"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\ = "Adobe PDF Preview Handler for Vista"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID\ = "PDFPrevHndlr.PDFPreviewHandler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib\ = "{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib\ = "{0F6D3808-7974-4B1A-94C2-3200767EACE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\DisableLowILProcessIsolation = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\ = "Adobe PDF Preview Handler for Vista"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ = "IPDFShellInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ = "Adobe PDF Preview Handler for Vista"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "AcroExch.Document"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID\ = "PDFPrevHndlr.PDFPreviewHandler.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6236FF8C-E747-4173-86D3-99F511B61DF3}\ = "PDFPrevHndlr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CurVer\ = "PDFPrevHndlr.PDFPreviewHandler.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "IPDFPreviewHandler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDFPrevHndlr.DLL\AppID = "{6236FF8C-E747-4173-86D3-99F511B61DF3}"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe
PID 2252 wrote to memory of 2908	2252	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll
2⤵
- Loads dropped DLL
- Modifies registry class
PID:2908

C:\Users\Admin\AppData\Local\Temp\2A0D.tmp
C:\Users\Admin\AppData\Local\Temp\2A0D.tmp
3⤵
PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2A0D.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/2908-0-0x0000000000190000-0x00000000001CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads