c8e90400eac54d560c34e2a51785a2e4c9920859cab94864392611c71b5d2c35

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SyncInfrastructureps.dll
Size

17KB
MD5

7836a61daf675031d7257fabe8425edb
SHA1

fe397ae0b5574f8ca981d420ceb6640744d87ae7
SHA256

c8e90400eac54d560c34e2a51785a2e4c9920859cab94864392611c71b5d2c35
SHA512

1f3d1d3cb915feb1011935d7bd9f24241bcef9f5a31e90754f6a20d30bd8fcd66781bee5255ef2766a2a1c9b3ad84f4f7d71c64261dc4aebcd43f9ef0b5b1cda
SSDEEP

192:ic4AG1ThzQos7ea6Xw25b1u/nBpadtoNTWMAuQLXRGMZPQpqKWqkUeTWVZ+l:wpNhjnu/nBpafohW37wRWqkhTWVZ+

Score

1^/10

Malware Config

Signatures

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3838290E-E8E4-40F1-9BCF-449CC3E16E90}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFD77847-E2B2-4E73-AD83-11B4F4BE6D2A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AABFAD62-E092-4838-8FE9-806FF250496B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80853259-7216-45e3-A9AA-3427E1CA8C6D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AABFAD62-E092-4838-8FE9-806FF250496B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3838290E-E8E4-40F1-9BCF-449CC3E16E90}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F9DEC54-E33E-4E03-9456-B5577E180467}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F9DEC54-E33E-4e03-9456-B5577E180467}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F9DEC54-E33E-4e03-9456-B5577E180467}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80853259-7216-45E3-A9AA-3427E1CA8C6D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80853259-7216-45e3-A9AA-3427E1CA8C6D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5FAE2F-2BA2-4ABD-AD2A-84B08B37BE85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AABFAD62-E092-4838-8FE9-806FF250496B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFD77847-E2B2-4E73-AD83-11B4F4BE6D2A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80853259-7216-45e3-A9AA-3427E1CA8C6D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38D0CFCF-4AB7-471A-A516-7BDBAA3F6E0B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38D0CFCF-4AB7-471A-A516-7BDBAA3F6E0B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3838290E-E8E4-40F1-9BCF-449CC3E16E90}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3838290E-E8E4-40f1-9BCF-449CC3E16E90}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3838290E-E8E4-40f1-9BCF-449CC3E16E90}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80853259-7216-45e3-A9AA-3427E1CA8C6D}\AsynchronousInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1422598-E238-464A-9F9D-EC1C4C829BC4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3838290E-E8E4-40f1-9BCF-449CC3E16E90}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9EBBF2D-0C5D-4BF1-AE24-A30F7796D178}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9EBBF2D-0C5D-4BF1-AE24-A30F7796D178}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1422598-E238-464a-9F9D-EC1C4C829BC4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1422598-E238-464a-9F9D-EC1C4C829BC4}\SynchronousInterface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38D0CFCF-4AB7-471A-A516-7BDBAA3F6E0B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3838290E-E8E4-40F1-9BCF-449CC3E16E90}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SyncInfrastructureps.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFD77847-E2B2-4E73-AD83-11B4F4BE6D2A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F9DEC54-E33E-4e03-9456-B5577E180467}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1422598-E238-464a-9F9D-EC1C4C829BC4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3838290E-E8E4-40F1-9BCF-449CC3E16E90}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3838290E-E8E4-40F1-9BCF-449CC3E16E90}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9EBBF2D-0C5D-4BF1-AE24-A30F7796D178}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5FAE2F-2BA2-4ABD-AD2A-84B08B37BE85}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5FAE2F-2BA2-4ABD-AD2A-84B08B37BE85}\NumMethods	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4364	1352	regsvr32.exe	82
PID 1352 wrote to memory of 4364	1352	regsvr32.exe	82
PID 1352 wrote to memory of 4364	1352	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\SyncInfrastructureps.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\SyncInfrastructureps.dll
  2⤵
  - Modifies registry class
  PID:4364

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads