43970e64f251040e9284a4cec968b01cce4a3cd23be67a1f21dd14e54f7a9bf1

Analysis

max time kernel
12s
max time network
53s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-04-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe-Photoshop-CC-2022-1.4-main/packages/packages/DismCorePS.dll
Size

151KB
MD5

b660794b7cfdc709e2e7f5f6ae2da336
SHA1

aad485e91300bdfe2692623690e8a6b4f72caa7e
SHA256

c9028ee0dda7e53254db71472b3cef96e13931d97a1ae2919446c4b946cbc22d
SHA512

e68ca373ff4b363368f4fe61dbe939cafcd4e2cc675d5babb937948593fb0527340da63d5b2617659af5fe04ed99174be42ffbf6142a8986266fdadf99d46d00

Score

10^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572F3374-7DAE-47AB-88AF-BD6CA29252FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A08538A6-B9FF-47C2-B228-B93612EF114B}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F92CF95-462B-4BDA-A1D4-B6CB74CEFB5C}\ = "IDismConfiguration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E1C59A6-272F-4212-A6D3-8DC6CDDF813A}\ = "IDismRegistry"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE33A527-42FE-43A4-AC5E-C1D059FC705F}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe-Photoshop-CC-2022-1.4-main\\packages\\packages\\DismCorePS.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BED6686-EEB7-40B7-97F9-FABCC5EFAEC2}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D4FCE31-F767-45E4-B2E9-5400E3E1389A}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7970DE73-63E8-43E9-9F61-81BDC748F29B}\ = "IDismImageInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DADAD7BB-2B1D-4EDB-9014-B1912E1A2E3D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AF61D22-D513-4417-8838-61F8724EDC4F}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BC3752E-74C5-46F0-B50C-12FF269D5BB1}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2C60889-8E0F-4A21-9F5B-E80F0B13C8D8}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B6BBFA2-F817-423B-A83C-103AD54615D4}\NumMethods\ = "15"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E40DD35A-89E1-4619-AD21-EF97D29B5D00}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BED6686-EEB7-40B7-97F9-FABCC5EFAEC2}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B47F29-955C-49A5-B0A5-5018207FDE69}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45554AF5-6058-4913-8E5F-C9B79D5995CF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C112610A-5D2A-4D52-8082-EDCD5A5EB11D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{572F3374-7DAE-47AB-88AF-BD6CA29252FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A064B65-3CEC-491B-A2D4-8D1D4DA6DECC}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{671FCAAF-CF96-4B46-AC3D-7B968FBBCC3F}\ = "IDismDriverPackage2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF3F6E13-25C0-40E7-A6D4-357FE61EF40A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13A81F76-50E2-11E0-B744-00123F3FC6DD}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3CCF844-82C9-431E-8D29-5BD09F8C9B70}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{722DE115-1404-4BF8-BCEE-DE0B7B580671}\NumMethods\ = "10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45554AF5-6058-4913-8E5F-C9B79D5995CF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F81A121-C3C5-4E94-B7AE-22B532F9F3A8}\ = "IDismPackage2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63E0AF82-28E4-4145-AE9A-AADD715C1251}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB62BF9-01A0-49A7-BE40-FB5445B29BEF}\ = "IDismImage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7970DE73-63E8-43E9-9F61-81BDC748F29B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD7FC505-69BC-49CB-8C58-1D1DA547B7E2}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8066238-FDD5-4195-8155-2371E0E61CC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCED1A68-143B-4C8C-8451-F155BDE821DB}\ = "IDismAssocSupport"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C551557-21C2-4907-BE82-35D7EEF5BB13}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8EF44D0-94F1-4DFB-BAD8-7B13830BA06E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6ABC167-33B8-4A00-BE58-12EC5B013598}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF0E7A8B-7B7C-411B-968B-11AA898BB03A}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E1CB72F-C47D-42EE-8CCA-4CEB35B3FE17}\ = "IDismDriverCollection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{671FCAAF-CF96-4B46-AC3D-7B968FBBCC3F}\NumMethods\ = "24"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2114DAEC-42FD-4847-8A04-5F2DDE3276A3}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F8A8AEF3-1322-4E1D-BBF1-0A228C6FE193}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC9ED95-CF41-4685-BEAA-70531031FEC4}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB62BF9-01A0-49A7-BE40-FB5445B29BEF}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31FC95C6-FBC9-4EB6-80FC-2672D6137BFE}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18CAABCD-EB4C-4DF3-9FF1-B5D24E655F33}\NumMethods\ = "10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E6EB080-3384-4155-A4A7-5E43BBAFB2F3}\ = "IDismStringCollection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40E0E56D-3D1D-4F5C-B325-0121423677C6}\ = "IDismAppxPackageInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCED1A68-143B-4C8C-8451-F155BDE821DB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46CE4564-E88A-4EAE-BD7C-DA221F61E0C7}\ = "IDismComponentStoreReport"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3CCF844-82C9-431E-8D29-5BD09F8C9B70}\NumMethods\ = "10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E1C59A6-272F-4212-A6D3-8DC6CDDF813A}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD7FC505-69BC-49CB-8C58-1D1DA547B7E2}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F316031B-3C98-4F20-B9CB-A3B8702DDDD8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3CCF844-82C9-431E-8D29-5BD09F8C9B70}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AF61D22-D513-4417-8838-61F8724EDC4F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C551557-21C2-4907-BE82-35D7EEF5BB13}\ProxyStubClsid32\ = "{BE33A527-42FE-43A4-AC5E-C1D059FC705F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1817AEF-4351-4721-9A62-5DEDA9DA246C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{407C0F0F-0540-4900-AFD2-52925246DCB3}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88D4518A-41A8-49B0-A087-A3D6FC1D298E}\ = "IDismPropertyCollection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2AE57C57-B894-4342-98E5-B627C6CEEAE6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B47F29-955C-49A5-B0A5-5018207FDE69}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B629EEF0-2060-43A0-A180-7D04351C3903}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F81A121-C3C5-4E94-B7AE-22B532F9F3A8}\NumMethods	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Adobe-Photoshop-CC-2022-1.4-main\packages\packages\DismCorePS.dll
1⤵
- Modifies registry class
PID:952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download