64200fbb3c17cb9defc46eb7ebc024adf47ae097f4df6804906c06a0d4bb6e18

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LocationFrameworkPS.dll
Size

24KB
MD5

af50a16e529a05b1ca4ee652757e69a5
SHA1

f4baa7f87e66f7ff23064bc9b9384009e5a29272
SHA256

64200fbb3c17cb9defc46eb7ebc024adf47ae097f4df6804906c06a0d4bb6e18
SHA512

31cc4d9f12b8d98cc6bf991a48ed60e5ed500e4d6d03587cf648f0d3f791955efa1731f73ab957d3ce2e974c18c1a86cf1bb9f7feacfdf4734032e6f458bc9f9
SSDEEP

384:QKJAXEShXn8zkKWc/GmrldrUWpzWHa9mXjDBRJNMl1n47:g1RCanyfUXj1PN7

Score

1^/10

Malware Config

Signatures

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76C23039-0D4B-4340-9A00-731CFE28D79E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FBE70F3-2F8D-46BC-BA97-28E3E9D51F9C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D0423B1-BBD4-4C4A-8F20-DA15228E0F3D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8C20AC3-4F66-423A-A1AE-396142818006}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FBE70F3-2F8D-46BC-BA97-28E3E9D51F9C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{033911AC-1A3F-4961-865E-D0E4CA19975B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{033911AC-1A3F-4961-865E-D0E4CA19975B}\ = "IGnssAdapterGeofence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C290552B-F3B1-4471-A70C-D2C146417AF1}\ = "IGeofenceManager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{270411D9-9832-48D5-BC1C-CE606B00F42E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67B89B7E-4003-4F69-AEA6-836C2F605AEA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67B89B7E-4003-4F69-AEA6-836C2F605AEA}\ProxyStubClsid32\ = "{270411D9-9832-48D5-BC1C-CE606B00F42E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C290552B-F3B1-4471-A70C-D2C146417AF1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76C23039-0D4B-4340-9A00-731CFE28D79E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C290552B-F3B1-4471-A70C-D2C146417AF1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77746361-335B-4217-9F7E-96AE01E96958}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8C20AC3-4F66-423A-A1AE-396142818006}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8C20AC3-4F66-423A-A1AE-396142818006}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FBE70F3-2F8D-46BC-BA97-28E3E9D51F9C}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67B89B7E-4003-4F69-AEA6-836C2F605AEA}\ = "IGnssAdapter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{033911AC-1A3F-4961-865E-D0E4CA19975B}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{033911AC-1A3F-4961-865E-D0E4CA19975B}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C290552B-F3B1-4471-A70C-D2C146417AF1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C290552B-F3B1-4471-A70C-D2C146417AF1}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77746361-335B-4217-9F7E-96AE01E96958}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{033911AC-1A3F-4961-865E-D0E4CA19975B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77746361-335B-4217-9F7E-96AE01E96958}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{270411D9-9832-48D5-BC1C-CE606B00F42E}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67B89B7E-4003-4F69-AEA6-836C2F605AEA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67B89B7E-4003-4F69-AEA6-836C2F605AEA}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67B89B7E-4003-4F69-AEA6-836C2F605AEA}\NumMethods\ = "17"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{033911AC-1A3F-4961-865E-D0E4CA19975B}\ProxyStubClsid32\ = "{270411D9-9832-48D5-BC1C-CE606B00F42E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C290552B-F3B1-4471-A70C-D2C146417AF1}\ProxyStubClsid32\ = "{270411D9-9832-48D5-BC1C-CE606B00F42E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76C23039-0D4B-4340-9A00-731CFE28D79E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D0423B1-BBD4-4C4A-8F20-DA15228E0F3D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D0423B1-BBD4-4C4A-8F20-DA15228E0F3D}\NumMethods	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3000	2260	regsvr32.exe	81
PID 2260 wrote to memory of 3000	2260	regsvr32.exe	81
PID 2260 wrote to memory of 3000	2260	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LocationFrameworkPS.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\LocationFrameworkPS.dll
  2⤵
  - Modifies registry class
  PID:3000

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads