78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60

General

Target

78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll
Size

327KB
MD5

0c30edd3251f1b2c9a60c16d8b543914
SHA1

6473905dbc9ce63ffdf8c3ce82c8e564fa5d2cd7
SHA256

78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60
SHA512

fd3c9e3f4c4dd850944e2c9fa33008f0468dd88f95dba21b14499b626933aef6c460b36388288e653dc6d2bbdd1fcd9b9397bd259a572c00b6090ebbbb8e15b9
SSDEEP

6144:paatUssGoOB/9+FAqE6VoZpdpwUlVioY0bIiL5VXyK6uHOD0:pa2shOqoZpnVlV3lVX/f+0

Score

1^/10

Malware Config

Signatures

Modifies registry class 50 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ProxyStubClsid32\ = "{17F2E344-8227-4AA7-A25A-E89424566BBA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\ = "IPDFPreviewHandler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDFPrevHndlr.DLL\AppID = "{6236FF8C-E747-4173-86D3-99F511B61DF3}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID\ = "PDFPrevHndlr.PDFPreviewHandler.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\DisplayName = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll,-101"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.pdf\ = "AcroExch.Document"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ = "IPDFShellInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib\ = "{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6236FF8C-E747-4173-86D3-99F511B61DF3}\ = "PDFPrevHndlr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CurVer\ = "PDFPrevHndlr.PDFPreviewHandler.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\DisableLowILProcessIsolation = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib\ = "{0F6D3808-7974-4B1A-94C2-3200767EACE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID\ = "PDFPrevHndlr.PDFPreviewHandler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\ = "Adobe PDF Preview Handler for Vista"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\NumMethods\ = "3"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17F2E344-8227-4AA7-A25A-E89424566BBA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\CLSID\ = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ = "Adobe PDF Preview Handler for Vista"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\ = "Adobe PDF Preview Handler for Vista"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4308 wrote to memory of 2036	4308	regsvr32.exe	regsvr32.exe
PID 4308 wrote to memory of 2036	4308	regsvr32.exe	regsvr32.exe
PID 4308 wrote to memory of 2036	4308	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\78344cf8e30b05bbf2d62aa40710ef51c265b6c7e195bc9e1607890b3835bf60.dll
2⤵
- Modifies registry class
PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-0-0x0000000002AF0000-0x0000000002B2C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads