224da404f85b1f4ea2e95ac0c2d403fa70135ce9ff22246889bababca20241da

Analysis

max time kernel
1480s
max time network
1494s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30/05/2024, 13:17

Target

MSVCRTExt.dll
Size

1.0MB
MD5

7aa124480e548155d65bae921f391afa
SHA1

23ac725e5a63995d0e27a5841c969486e1d2c3f5
SHA256

224da404f85b1f4ea2e95ac0c2d403fa70135ce9ff22246889bababca20241da
SHA512

7d02132340b35551a474e55c4e5e5e7f0839a1294b017abf0e2c6d7fd45e8d2235608c2bf4233e7e6957155a932c9f1f8a14dd1c36bd567a1c66861586b8a363
SSDEEP

24576:05nJIDlyEgORmiRly2oQ9dMGpuFU6DfCq1:05+cQFAgdRgFUGfCq1

Score

4^/10

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3872	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3180	1188	regsvr32.exe	79
PID 1188 wrote to memory of 3180	1188	regsvr32.exe	79
PID 1188 wrote to memory of 3180	1188	regsvr32.exe	79

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\MSVCRTExt.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\MSVCRTExt.dll
  2⤵
  PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2980

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:872

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4792

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e9aa12ff0be6d995ed86f8cf88678158

SHA1
e5ee38fc2ebef0fcbc3059dee29b39f7daf21931

SHA256
f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561

SHA512
95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc

Download Submit