ab2e7bc5a2e120148e14fbd1625c15655f9e2489c911537edc96bdcf560dfdf8 | Triage

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 12:48

Sharing

Report Analysis Logs

General

Target

PhotoMetadataHandler.dll
Size

356KB
MD5

95ab9b30166221ed22e43290d47198cd
SHA1

b04497289e2a2d1e12efb8f5b618341d4fbd783d
SHA256

ab2e7bc5a2e120148e14fbd1625c15655f9e2489c911537edc96bdcf560dfdf8
SHA512

11c7045584981107e67926c1d519dbaf69bfa2c45c5a664407d7858c0a63d8fe2eb57417e3fb921fef382cdf945e5cce513c3974132789f95cb51f022cd30f87
SSDEEP

6144:4rDxJipNwennlUgVINRyHj6xfm+vy4vWG1zYR8N:7VINRyD6o+dvRS8

Score

1^/10

Malware Config

Signatures

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAE86DDD-DC11-421C-B7AB-CC55D1D65C44}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAE86DDD-DC11-421C-B7AB-CC55D1D65C44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a38b883c-1682-497e-97b0-0a3a9e801682}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAE86DDD-DC11-421C-B7AB-CC55D1D65C44}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6f13dd2e-ebee-4dd5-a72e-850b2087f5dd}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Schemas\{BB5ACC38-F216-4CEC-A6C5-5F6E739763A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAE86DDD-DC11-421C-B7AB-CC55D1D65C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6f13dd2e-ebee-4dd5-a72e-850b2087f5dd}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Schemas\{BB5ACC38-F216-4CEC-A6C5-5F6E739763A9}\MicrosoftPhoto = "http://ns.microsoft.com/photo/1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Schemas\{22383CF1-ED17-4E2E-AF17-D85B8F6B30D0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Schemas\{22383CF1-ED17-4E2E-AF17-D85B8F6B30D0}\MicrosoftPhoto = "http://ns.microsoft.com/photo/1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAE86DDD-DC11-421C-B7AB-CC55D1D65C44}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a38b883c-1682-497e-97b0-0a3a9e801682}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 2192	4392	regsvr32.exe	84
PID 4392 wrote to memory of 2192	4392	regsvr32.exe	84
PID 4392 wrote to memory of 2192	4392	regsvr32.exe	84

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PhotoMetadataHandler.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\PhotoMetadataHandler.dll
  2⤵
  - Modifies registry class
  PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RGI4AD4.tmp

Filesize
3KB

MD5
da0ce71a9eae9e48a77882da9c684044

SHA1
3447eb750064db1eb24732a7ae49afffa20fb29a

SHA256
afc63884a82111b35be225c339fa1ac58ab20600c642fccb053f7392d8a9f1ac

SHA512
7b765bd5f965cc4149191bd147667c6933fa919e272ea5c578f73c82707ea6d770ea680ce419707078d5e2d8eeb596373d47dee66980553b928cae67bf2dd723

Download Submit