Overview
overview
10Static
static
30143896638...df.exe
windows7-x64
100143896638...df.exe
windows10-2004-x64
10$APPDATA/v...60.dll
windows7-x64
1$APPDATA/v...60.dll
windows10-2004-x64
1$APPDATA/v...60.dll
windows7-x64
1$APPDATA/v...60.dll
windows10-2004-x64
1$APPDATA/v...pc.exe
windows7-x64
1$APPDATA/v...pc.exe
windows10-2004-x64
1$APPDATA/v...tp.dll
windows7-x64
1$APPDATA/v...tp.dll
windows10-2004-x64
1$APPDATA/v...en.dll
windows7-x64
1$APPDATA/v...en.dll
windows10-2004-x64
1$TEMP/AnaMetaphor.dll
windows7-x64
1$TEMP/AnaMetaphor.dll
windows10-2004-x64
1$TEMP/dev6...60.dll
windows7-x64
1$TEMP/dev6...60.dll
windows10-2004-x64
1$TEMP/dev6...ib.dll
windows7-x64
1$TEMP/dev6...ib.dll
windows10-2004-x64
1$TEMP/dev6...MA.dll
windows7-x64
1$TEMP/dev6...MA.dll
windows10-2004-x64
1$TEMP/dev6...lp.dll
windows7-x64
1$TEMP/dev6...lp.dll
windows10-2004-x64
1Analysis
-
max time kernel
129s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
01438966382020_pdf.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral2
Sample
01438966382020_pdf.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$APPDATA/vehicletestdrive/_tmp/18.opends60.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$APPDATA/vehicletestdrive/_tmp/18.opends60.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$APPDATA/vehicletestdrive/_tmp/62.opends60.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral6
Sample
$APPDATA/vehicletestdrive/_tmp/62.opends60.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$APPDATA/vehicletestdrive/_tmp/cert2spc.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$APPDATA/vehicletestdrive/_tmp/cert2spc.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$APPDATA/vehicletestdrive/_tmp/contextp.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral10
Sample
$APPDATA/vehicletestdrive/_tmp/contextp.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$APPDATA/vehicletestdrive/_tmp/crtowordsen.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral12
Sample
$APPDATA/vehicletestdrive/_tmp/crtowordsen.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMP/AnaMetaphor.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMP/AnaMetaphor.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/dev60cgi/36.opends60.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/dev60cgi/36.opends60.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$TEMP/dev60cgi/CrystalKeyCodeLib.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral18
Sample
$TEMP/dev60cgi/CrystalKeyCodeLib.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMP/dev60cgi/DesktopDMA.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMP/dev60cgi/DesktopDMA.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMP/dev60cgi/MicrosoftVisualStudioVSHelp.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMP/dev60cgi/MicrosoftVisualStudioVSHelp.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
$APPDATA/vehicletestdrive/_tmp/contextp.dll
-
Size
11KB
-
MD5
4ba4d296c73b2b4367b0029e1d7c1a6f
-
SHA1
15aaf08c9aff48005a2a886c35a719bf286632ab
-
SHA256
0da039d120c08e36e5bd6c9eafe84d45dff719473876f3902e7ca5c9aa00c24a
-
SHA512
46a249c1110aec76179d44d4ae03c176dced623a3eb26003077034628eba7a09343da87afce41c02faf17e7e9cedaf69f354a576df92ba71fbb5ef5661bc1112
-
SSDEEP
192:VjPYNu38npuW8IzMkA2Ny0W+uNgQWNjk8:5PDQ8Zi1W7gQWN
Malware Config
Signatures
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\ = "IVsUserContextItem" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{997D7904-D948-4C8B-8BAB-0BDA1E212F6E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2078F0E-A310-420A-BA27-16531905B88F}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{715C98B7-05FB-4A1A-86C8-FF00CE2E5D64}\ = "IVsUserContextItemProvider" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5ED7D1C-61B6-428A-8129-E13B36D9E9A7}\ = "IVsUserContextUpdate" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F98CCC8A-9C5F-41EB-8421-711C0F1880E6}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C074FDB-3D7D-4512-9604-72B3B0A5F609} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2078F0E-A310-420A-BA27-16531905B88F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A56FB1E-1B2F-4699-8178-63B98E816F35}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{997D7904-D948-4C8B-8BAB-0BDA1E212F6E}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5ED7D1C-61B6-428A-8129-E13B36D9E9A7}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F98CCC8A-9C5F-41EB-8421-711C0F1880E6}\ = "IVsProvideUserContextForObject" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{715C98B7-05FB-4A1A-86C8-FF00CE2E5D64}\NumMethods\ = "8" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C074FDB-3D7D-4512-9604-72B3B0A5F609}\ = "IVsMonitorUserContext" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761081DF-D45F-4683-9B9E-1B7241E56F5C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{997D7904-D948-4C8B-8BAB-0BDA1E212F6E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F98CCC8A-9C5F-41EB-8421-711C0F1880E6}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5ED7D1C-61B6-428A-8129-E13B36D9E9A7}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2078F0E-A310-420A-BA27-16531905B88F}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5ED7D1C-61B6-428A-8129-E13B36D9E9A7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F817159-761D-447E-9600-4C3387F4C0FD} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{715C98B7-05FB-4A1A-86C8-FF00CE2E5D64}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{715C98B7-05FB-4A1A-86C8-FF00CE2E5D64}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761081DF-D45F-4683-9B9E-1B7241E56F5C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{997D7904-D948-4C8B-8BAB-0BDA1E212F6E}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2078F0E-A310-420A-BA27-16531905B88F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2078F0E-A310-420A-BA27-16531905B88F}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A56FB1E-1B2F-4699-8178-63B98E816F35}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F817159-761D-447E-9600-4C3387F4C0FD}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761081DF-D45F-4683-9B9E-1B7241E56F5C}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$APPDATA\\vehicletestdrive\\_tmp\\contextp.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A56FB1E-1B2F-4699-8178-63B98E816F35}\NumMethods\ = "9" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F817159-761D-447E-9600-4C3387F4C0FD}\ = "IVsUserContextCustomize" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A6DE4A2-5B3D-46EB-A65C-24C4EF4F396F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C074FDB-3D7D-4512-9604-72B3B0A5F609}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C074FDB-3D7D-4512-9604-72B3B0A5F609}\NumMethods\ = "21" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761081DF-D45F-4683-9B9E-1B7241E56F5C}\ = "IVsUserContext" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{720B8500-17B3-4C89-AE84-2CFE7251B4B8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{720B8500-17B3-4C89-AE84-2CFE7251B4B8}\NumMethods\ = "7" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A56FB1E-1B2F-4699-8178-63B98E816F35}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{715C98B7-05FB-4A1A-86C8-FF00CE2E5D64}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C074FDB-3D7D-4512-9604-72B3B0A5F609}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761081DF-D45F-4683-9B9E-1B7241E56F5C}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{997D7904-D948-4C8B-8BAB-0BDA1E212F6E}\ = "IVsProvideUserContext" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5ED7D1C-61B6-428A-8129-E13B36D9E9A7}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F98CCC8A-9C5F-41EB-8421-711C0F1880E6}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A6DE4A2-5B3D-46EB-A65C-24C4EF4F396F}\ = "IVsUserContextItemCollection" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{715C98B7-05FB-4A1A-86C8-FF00CE2E5D64} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761081DF-D45F-4683-9B9E-1B7241E56F5C}\NumMethods\ = "21" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{720B8500-17B3-4C89-AE84-2CFE7251B4B8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2078F0E-A310-420A-BA27-16531905B88F}\ = "IVsUserContextItemEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5ED7D1C-61B6-428A-8129-E13B36D9E9A7}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F98CCC8A-9C5F-41EB-8421-711C0F1880E6}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A6DE4A2-5B3D-46EB-A65C-24C4EF4F396F}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A56FB1E-1B2F-4699-8178-63B98E816F35} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A56FB1E-1B2F-4699-8178-63B98E816F35}\ = "IVsHelpAttributeList" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A6DE4A2-5B3D-46EB-A65C-24C4EF4F396F}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F817159-761D-447E-9600-4C3387F4C0FD}\ProxyStubClsid32\ = "{720B8500-17B3-4C89-AE84-2CFE7251B4B8}" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 456 wrote to memory of 5076 456 regsvr32.exe regsvr32.exe PID 456 wrote to memory of 5076 456 regsvr32.exe regsvr32.exe PID 456 wrote to memory of 5076 456 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$APPDATA\vehicletestdrive\_tmp\contextp.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$APPDATA\vehicletestdrive\_tmp\contextp.dll2⤵
- Modifies registry class