2ee980191d7bc4c5140209a95bfc80cd90b87b404a3c22ab828ac428b9d50d55

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VnetClinfo.dll
Size

77KB
MD5

b8fdd277eb7fa93f98c3ada83020a9a3
SHA1

5bf85344ad3c5451d3e2b3d0f62783a2bd19301a
SHA256

c6d20217ba118165d6f97067493f663d11b122501384898fe899b0018daa710c
SHA512

2c6afcbb6b73cd87d99078a366973a6c58d3478948c5a20dd42d133f94dfaaad3f6b7b0d92aef75c98a051411a0bce3ff293d331900b3941ed4b0ff1377aa362
SSDEEP

768:Xv3wc77UtCcjS+8mcKgqCm36PcQ9rhRv19ClA1dJ9mQzAjsQ01jUGDQMDL7sQO:X4c77a/8mcZH0o9RjClWnAkaGEMDI

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\ = "VnetClinfo Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1\Insertable\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1\CLSID\ = "{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNETCL~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ = "_DVnetClinfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ = "_DVnetClinfoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ProgID\ = "VNETCLINFO.VnetClinfoCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNETCL~1.DLL, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ = "VnetClinfo Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNETCL~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ = "_DVnetClinfoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7417B40-7D15-4372-882B-25849EBA17A6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ = "_DVnetClinfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VNETCLINFO.VnetClinfoCtrl.1\ = "VnetClinfo Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VnetClinfo.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E675CE-A02E-4F3C-95C3-74BBA404814D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85BA792F-F1A6-403D-9BFA-641703E7223F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\MiscStatus\1\ = "132497"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB303E8E-BCBC-4E76-BC72-8D3C16D2FF08}\TypeLib\ = "{5CE6169D-AB98-45E4-ADED-0D6CA74AA1D1}"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3352	1984	regsvr32.exe	82
PID 1984 wrote to memory of 3352	1984	regsvr32.exe	82
PID 1984 wrote to memory of 3352	1984	regsvr32.exe	82

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VnetClinfo.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\VnetClinfo.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3352-0-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download