1f2c95527db202acc8fd0a6b2548b5a0ed2deacf2da91e93503d311cc11d3d48

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 19:29

Target

1f2c95527db202acc8fd0a6b2548b5a0ed2deacf2da91e93503d311cc11d3d48.dll
Size

526KB
MD5

a79dd3438cdcee098dc65e3ce57c6bfb
SHA1

679e8dcc668e5340b42ad5bed1a7f426639c98ef
SHA256

1f2c95527db202acc8fd0a6b2548b5a0ed2deacf2da91e93503d311cc11d3d48
SHA512

8081ef3f3ca15cbbfb35440a4d047eb3c8fba653280b81a339bbd4e5407823da6be4acbdf4af7bf2cb18f11aa2abb26fa031cdc9478935d3a44c07055570930c
SSDEEP

6144:mLPC0pFjpdVTvM3c66oW2K9zDw+9++PBzHieH1S4QIb6vN4:+C0pfdVg1WVnVH/VhbQN4

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074B110F-7F58-4743-AEA5-12F15B5074ED}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074B110F-7F58-4743-AEA5-12F15B5074ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074B110F-7F58-4743-AEA5-12F15B5074ED}\ = "XACTEngine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074B110F-7F58-4743-AEA5-12F15B5074ED}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074B110F-7F58-4743-AEA5-12F15B5074ED}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f2c95527db202acc8fd0a6b2548b5a0ed2deacf2da91e93503d311cc11d3d48.dll"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28
PID 2872 wrote to memory of 2980	2872	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f2c95527db202acc8fd0a6b2548b5a0ed2deacf2da91e93503d311cc11d3d48.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\1f2c95527db202acc8fd0a6b2548b5a0ed2deacf2da91e93503d311cc11d3d48.dll
  2⤵
  - Modifies registry class
  PID:2980