b29f89a92a857b4fef844296a858b4bdc3457c423f2769955ad28277a170d982

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b29f89a92a857b4fef844296a858b4bdc3457c423f2769955ad28277a170d982.dll
Size

597KB
MD5

6417f70f804f2def152f11996ddc5891
SHA1

63fa9226ee1875587daa388d1fbe4dbf42c0a8db
SHA256

b29f89a92a857b4fef844296a858b4bdc3457c423f2769955ad28277a170d982
SHA512

8a28e131ed44c873354c20f6afee416c0f98f28151ec1b3f9a2d3835373c8dd4dd7b8fedcb487d399deb726970ecd6d300f7032923e7028c636ff47b9a8e6660
SSDEEP

12288:LsJYL83VnOa5v9yEmkKcjPzNidIByAX6Bm4qG8/0YGd/WjzXUkx:LsJYo3VOa5v9yEmkKcjPzNidIBy0Um71

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib\ = "{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ = "VBScript Script File"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\ = "Microsoft VBScript Globals"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b29f89a92a857b4fef844296a858b4bdc3457c423f2769955ad28277a170d982.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA2-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers\WSHProps	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "\"C:\\Windows\\system32\\cscript.exe\" \"%1\" %*"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA0-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB3-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\ = "VB Script Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.Encode\ = "VB Script Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine\ = "VBScript"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "\"C:\\Windows\\system32\\wscript.exe\" \"%1\" %*"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command\ = "\"C:\\Windows\\system32\\notepad.exe\" /p %1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ = "ErrObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript.RegExp\ = "VBScript Regular Expression"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS Author\ = "VB Script Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ = "GlobalObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB0-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB1-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib\ = "{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACA1-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBS\ = "VB Script Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "\"C:\\Windows\\system32\\notepad.exe\" %1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3EEF9758-35FC-11D1-8CE4-00C04FC2B185}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB3-160D-11D2-A8E9-00104B365C9F}\ProxyStubClsid	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B186}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EEF9758-35FC-11D1-8CE4-00C04FC2B187}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F4DACB2-160D-11D2-A8E9-00104B365C9F}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4364	1112	regsvr32.exe	81
PID 1112 wrote to memory of 4364	1112	regsvr32.exe	81
PID 1112 wrote to memory of 4364	1112	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b29f89a92a857b4fef844296a858b4bdc3457c423f2769955ad28277a170d982.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b29f89a92a857b4fef844296a858b4bdc3457c423f2769955ad28277a170d982.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...