46c8d04c28e274e8e1c1d91f3522a2f354e27cc26da67adabcefce8cc0371807

Analysis

max time kernel
25s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-01-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uses of Additional Files/WinAll/BeholdTV/amd64/bhkspex.dll
Size

103KB
MD5

d78686b8130fec68e1a75cec4d2962ae
SHA1

1816da02e7f8f678b11e4152d56b8af9a9c10469
SHA256

051be9377f04204ec5df434c451231bceca75b04c230b229160b3e27acfc4484
SHA512

883b89182b48018eea8d9dc77e65fadb769545579f175b5f4360f8d30669f32f748165310609b46c0bfdb628789b089f405aa94cc0a61d4221b83700706bdc44
SSDEEP

3072:p8N/5h8XgEu5C2QltfiNW/cp/gi/uRcEgZF0IIRlVNgZ:hmgi2RcEgHIRV

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\InprocServer32	regsvr32.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\ = "BHKSPEX Digital Capture Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\ = "BHKSPEX Empress Base Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\ = "BHKSPEX Clara Stats Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\ = "BHKSPEX DVB Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\ = "BHKSPEX Clara Base Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}\ = "BHKSPEX Empress Advanced Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D0B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF0D4D2B-0216-4667-9C3A-DFE51528B355}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}\ = "BHKSPEX Analog Capture Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A98-81FF-4413-B723-A3BC5897DE71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7A88-81FF-4413-B723-A3BC5897DE71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}\ = "BHKSPEX Empress Stats Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D47A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D48A-AF8A-40B0-AD1C-9A37F9A15768}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uses of Additional Files\\WinAll\\BeholdTV\\amd64\\bhkspex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{372E7AA8-81FF-4413-B723-A3BC5897DE71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1150D46A-AF8A-40B0-AD1C-9A37F9A15768}	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Uses of Additional Files\WinAll\BeholdTV\amd64\bhkspex.dll"
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download