0bb6eadf8a17bd99c76b17265bf6107001a23af1554835bb4e63d5aa352b64b4

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

打印共享修复Fix/Win7_X64/win32spl.dll
Size

743KB
MD5

6fc904493f366f0a10d6cd03a8c4b933
SHA1

c8cac1aa85ac7417ea64d3ad77b7c13ebc02f1f4
SHA256

81be67de5cbff88e8b950fc28a786dc64c8de80e9aba4438432ab9f1776af1aa
SHA512

ab438ed0b4c87825b0219050185892fbc1831c3343ef6bb03276fa02615b0e9ea8adb844a5f5fd617ba62560d99fc325246ad29c3e774840342f814c9a0dbfb7
SSDEEP

6144:lCwDdWRKFexLic4IV1510RfjkEsZzBKfa/1UodGcSuZ1OkZ5TGTri4NTYYZP+E5V:wwD4KFeBijIDSfjkVrUodJ3Z529v3E6

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\打印共享修复Fix\\Win7_X64\\win32spl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe

Modifies registry class 29 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\ = "Client Side Rendering Cache Manager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ProgID\ = "ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\VersionIndependentProgID\ = "ClientSideRenderingCacheManager.ClientSideRenderingCacheManager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\CLSID\ = "{36DC67DC-D792-49B7-BC53-BE67D4D86493}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\TypeLib\ = "{052A1799-2BD5-4ED6-A254-8E850C48F41A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\ = "Client Side Rendering Cache Manager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\ = "csrspl 1.0 Cache Manager Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\打印共享修复Fix\\Win7_X64\\win32spl.dll\\2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\打印共享修复Fix\\Win7_X64\\win32spl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManage.1\ = "Client Side Rendering Cache Manager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36DC67DC-D792-49B7-BC53-BE67D4D86493}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClientSideRenderingCacheManager.ClientSideRenderingCacheManager\CLSID\ = "{36DC67DC-D792-49B7-BC53-BE67D4D86493}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{052A1799-2BD5-4ED6-A254-8E850C48F41A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\打印共享修复Fix\\Win7_X64"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\打印共享修复Fix\Win7_X64\win32spl.dll
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:1480

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download