Analysis
-
max time kernel
140s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 04:34
Behavioral task
behavioral1
Sample
c4567e7e3eb80d54cf996c5d082907395e9106a17ede4cc43026b113893017a7.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4567e7e3eb80d54cf996c5d082907395e9106a17ede4cc43026b113893017a7.dll
Resource
win10v2004-20240226-en
General
-
Target
c4567e7e3eb80d54cf996c5d082907395e9106a17ede4cc43026b113893017a7.dll
-
Size
176KB
-
MD5
02beb8b4d46c253f2c32f990b1d518e6
-
SHA1
b4d587f6c5286c950c1b24b8bbb0d3c4aae0d82e
-
SHA256
c4567e7e3eb80d54cf996c5d082907395e9106a17ede4cc43026b113893017a7
-
SHA512
f764d4810af9f78bc959fce908d226e06ba2ebc4600d31af91a5dc8768ef2716ba1d2a06817a54667c4840542993b715147572b5915391756ed59836ed6a8b0b
-
SSDEEP
3072:D4c+aFQGAOGWcroDwXrJsCkK3hYIQtHu1tW:DV+aFWOGWioDspzLmu1
Malware Config
Signatures
-
Modifies registry class 6 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E5-B259-11CF-BFC7-444553540000} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E5-B259-11CF-BFC7-444553540000}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4480 regsvr32.exe 4480 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
regsvr32.exedescription pid process Token: 1 4480 regsvr32.exe Token: SeCreateTokenPrivilege 4480 regsvr32.exe Token: SeAssignPrimaryTokenPrivilege 4480 regsvr32.exe Token: SeLockMemoryPrivilege 4480 regsvr32.exe Token: SeIncreaseQuotaPrivilege 4480 regsvr32.exe Token: SeMachineAccountPrivilege 4480 regsvr32.exe Token: SeTcbPrivilege 4480 regsvr32.exe Token: SeSecurityPrivilege 4480 regsvr32.exe Token: SeTakeOwnershipPrivilege 4480 regsvr32.exe Token: SeLoadDriverPrivilege 4480 regsvr32.exe Token: SeSystemProfilePrivilege 4480 regsvr32.exe Token: SeSystemtimePrivilege 4480 regsvr32.exe Token: SeProfSingleProcessPrivilege 4480 regsvr32.exe Token: SeIncBasePriorityPrivilege 4480 regsvr32.exe Token: SeCreatePagefilePrivilege 4480 regsvr32.exe Token: SeCreatePermanentPrivilege 4480 regsvr32.exe Token: SeBackupPrivilege 4480 regsvr32.exe Token: SeRestorePrivilege 4480 regsvr32.exe Token: SeShutdownPrivilege 4480 regsvr32.exe Token: SeDebugPrivilege 4480 regsvr32.exe Token: SeAuditPrivilege 4480 regsvr32.exe Token: SeSystemEnvironmentPrivilege 4480 regsvr32.exe Token: SeChangeNotifyPrivilege 4480 regsvr32.exe Token: SeRemoteShutdownPrivilege 4480 regsvr32.exe Token: SeUndockPrivilege 4480 regsvr32.exe Token: SeSyncAgentPrivilege 4480 regsvr32.exe Token: SeEnableDelegationPrivilege 4480 regsvr32.exe Token: SeManageVolumePrivilege 4480 regsvr32.exe Token: SeImpersonatePrivilege 4480 regsvr32.exe Token: SeCreateGlobalPrivilege 4480 regsvr32.exe Token: 31 4480 regsvr32.exe Token: 32 4480 regsvr32.exe Token: 33 4480 regsvr32.exe Token: 34 4480 regsvr32.exe Token: 35 4480 regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
regsvr32.exepid process 4480 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 4908 wrote to memory of 4480 4908 regsvr32.exe regsvr32.exe PID 4908 wrote to memory of 4480 4908 regsvr32.exe regsvr32.exe PID 4908 wrote to memory of 4480 4908 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\c4567e7e3eb80d54cf996c5d082907395e9106a17ede4cc43026b113893017a7.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\c4567e7e3eb80d54cf996c5d082907395e9106a17ede4cc43026b113893017a7.dll2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:3452