443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f.dll
Size

1.1MB
MD5

690d0736005f78f4ae858677be2128c7
SHA1

6be9ae22ef0e865c7003d13ab273970d6e583910
SHA256

443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f
SHA512

2a8140d50ddec3ad960ec37e30391d4d526ac3f685adb98285b5aced9a95c99fcf2f5bec9bcdc219fe4965e693f493d1bc0af0f002ded0e478c81fdde7fcc412
SSDEEP

12288:enA+oU4N2XgcogmTLIuayWvqA2iYb4o0f1jph2y+O5F1nt9zzxTHmDzlTPkL:pU4Nb7i5Yb50tjf+sF1nNmvlO

Score

1^/10

Malware Config

Signatures

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\ProgID\ = "SWOutlook.OutlookAddIn.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA8FC2A0-6BBD-40BB-921C-361100D22508}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7E9A3930-A7E2-407C-83CE-C6D58A64D0D9}\ = "SWOutlook"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SWOutlook.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn.1\ = "VIRUSfighter OutlookAddIn Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SWOutlook.DLL\AppID = "{7E9A3930-A7E2-407C-83CE-C6D58A64D0D9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn.1\CLSID\ = "{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ = "IConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\TypeLib\ = "{}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\AppID = "{7E9A3930-A7E2-407C-83CE-C6D58A64D0D9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ProxyStubClsid32\ = "{BA8FC2A0-6BBD-40BB-921C-361100D22508}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\ = "VIRUSfighter OutlookAddIn Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\VersionIndependentProgID\ = "SWOutlook.OutlookAddIn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\TypeLib\ = "{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\TypeLib\ = "{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn\CLSID\ = "{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn\CurVer\ = "SWOutlook.OutlookAddIn.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ = "IConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B5C3E2D-05EB-4B8B-8B33-CE01F1D98860}\1.0\ = "SWOutlook 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA8FC2A0-6BBD-40BB-921C-361100D22508}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7E9A3930-A7E2-407C-83CE-C6D58A64D0D9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWOutlook.OutlookAddIn\ = "VIRUSfighter OutlookAddIn Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BE4FABEE-C190-4B33-ABBE-D375C9BB4642}\Programmable	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28
PID 2752 wrote to memory of 2356	2752	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\443d3e3815be8ff062a9929537ed57a30e0c0195a41255d5ec17ef44a5f0c77f.dll
  2⤵
  - Modifies registry class
  PID:2356

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads