dccd7fe5b56ec1de52ed5e01f03abf2fcd133fb8b1531871984286e83d920cfa | Triage

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:04

Sharing

Report Analysis Logs

General

Target

WinSyncProviders.dll
Size

114KB
MD5

6776beb73c5a6bfafa9405ab7f30b53b
SHA1

3dc3d8fdd00a7b5bc0aa17c71b310bf105a027ca
SHA256

dccd7fe5b56ec1de52ed5e01f03abf2fcd133fb8b1531871984286e83d920cfa
SHA512

77d541327847ed5dcafe165be0116448c818828645b70ac3502b11072f094080e76798a43a9818645caa1408d5ee28da709eb8ddd596343fd5b03804e03da02e
SSDEEP

3072:bebYiPA/qMFePyuoGQFtEpPAIIckwJw0si:bebYDCYtuoGQFtGpX6i

Score

1^/10

Malware Config

Signatures

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8373ce97-72b7-4fb2-b5e8-b38aa083d734}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8373ce97-72b7-4fb2-b5e8-b38aa083d734}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A10DFC9E-FF12-4E7F-BC74-8FE9053920F0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a10dfc9e-ff12-4e7f-bc74-8fe9053920f0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a10dfc9e-ff12-4e7f-bc74-8fe9053920f0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8373CE97-72B7-4FB2-B5E8-B38AA083D734}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 972	4452	regsvr32.exe	83
PID 4452 wrote to memory of 972	4452	regsvr32.exe	83
PID 4452 wrote to memory of 972	4452	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\WinSyncProviders.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\WinSyncProviders.dll
  2⤵
  - Modifies registry class
  PID:972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads