8454e4a8b248a7f384035e9b45d9badb5f121e9d047d9dcce22bb4ee7e73e85b

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 11:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DXSub.dll
Size

1001KB
MD5

1208025eb4b38e0ea73847c7af1538f0
SHA1

e97b852dbb8f48d3a5fe86d2fafcb06403b3fa5d
SHA256

4fb2a87ba24d9fbb3a30c1578086a61f5b565f87de6e0bb9d9d4e345393355b0
SHA512

e28a08e9b22d03838167d3c2dee5270da2847bcd014dc0d4019d4762b20398cbadc4756869ffc6a329ddbad0b55846f16e6ba234c7caf9dd89b9fd3587fb79be
SSDEEP

24576:MV8UccthFlNGx4XXrftmROf+h1MB0MMNkHra4gGLZ:Qc2cMMKLauLZ

Score

1^/10

Malware Config

Signatures

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{495CF191-810D-44C7-92C5-E7D46AE00F44}\ = "VMR7 无渲染"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7612B889-E070-4BCC-B808-91CB794174AB}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\FilterData = 020000000000200001000000000000003070693300000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7612B889-E070-4BCC-B808-91CB794174AB}\CLSID = "{7612B889-E070-4BCC-B808-91CB794174AB}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\FilterData = 020000000000200001000000000000003070693300000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4E4834FA-22C2-40E2-9446-F77DD05D245E}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{495CF191-810D-44C7-92C5-E7D46AE00F44}\FilterData = 020000000000200001000000000000003070693300000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{495CF191-810D-44C7-92C5-E7D46AE00F44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7612B889-E070-4BCC-B808-91CB794174AB}\FriendlyName = "VEVR 无渲染"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\FriendlyName = "VobSub"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{495CF191-810D-44C7-92C5-E7D46AE00F44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DXSub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7612B889-E070-4BCC-B808-91CB794174AB}\ = "VEVR 无渲染"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7612B889-E070-4BCC-B808-91CB794174AB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\ = "VobSub_BF"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DXSub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7612B889-E070-4BCC-B808-91CB794174AB}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DXSub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\CLSID = "{4E4834FA-22C2-40E2-9446-F77DD05D245E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7612B889-E070-4BCC-B808-91CB794174AB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\CLSID = "{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E4834FA-22C2-40E2-9446-F77DD05D245E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\ = "VMR9 无渲染"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7612B889-E070-4BCC-B808-91CB794174AB}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\FriendlyName = "VMR9 无渲染"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E4834FA-22C2-40E2-9446-F77DD05D245E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{495CF191-810D-44C7-92C5-E7D46AE00F44}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DXSub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{C2B3958A-BAC3-4C58-B4FB-3168D4AE2498}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{495CF191-810D-44C7-92C5-E7D46AE00F44}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{495CF191-810D-44C7-92C5-E7D46AE00F44}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{495CF191-810D-44C7-92C5-E7D46AE00F44}\FriendlyName = "VMR7 无渲染"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{495CF191-810D-44C7-92C5-E7D46AE00F44}\CLSID = "{495CF191-810D-44C7-92C5-E7D46AE00F44}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7612B889-E070-4BCC-B808-91CB794174AB}\FilterData = 020000000000200001000000000000003070693300000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31
PID 2328 wrote to memory of 2348	2328	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DXSub.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\DXSub.dll
  2⤵
  - Modifies registry class
  PID:2348

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads