Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 08:47
Behavioral task
behavioral1
Sample
176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.dll
Resource
win7-20240903-en
3 signatures
120 seconds
General
-
Target
176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.dll
-
Size
661KB
-
MD5
52cedbb710c88c265aeecfa271f64a10
-
SHA1
923981e7720e5902aee70db6822cb12996e89bc4
-
SHA256
176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366
-
SHA512
bfbd41c015070b00990e1ae589fe632caaed17dbe67e2108d1e82c309b9d5beb1f84f4be13d153bdd1ac344f1623c6d8ce59d0d921f42f203cb471e865660656
-
SSDEEP
6144:ra8z7+FfRI0EyS2zWlMzZg1soniDBHyzZT/P31tMyXT1CP870NwftGP+Bu+wLi14:Fz6F52GCt6DA1PbMyhf70SpzWX
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4148-0-0x0000000000400000-0x0000000000420000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.ExecuteHookWebPV\ = "Webhook1001PV" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539}\ = "Webhook1001PV" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.ExecuteHookWebPV regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.ExecuteHookWebPV\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.ExecuteHookWebPV\Clsid\ = "{A717F661-41D3-11D8-9BD7-962A4BD65539}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539}\ProgID\ = "176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.ExecuteHookWebPV" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717F661-41D3-11D8-9BD7-962A4BD65539}\InprocServer32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2292 wrote to memory of 4148 2292 regsvr32.exe 83 PID 2292 wrote to memory of 4148 2292 regsvr32.exe 83 PID 2292 wrote to memory of 4148 2292 regsvr32.exe 83
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\176d61befdfb704573e912e0b8ec4af00a6255ebfdaf71126f58f2c7a187e366N.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4148
-