0436fd55a874ef3acf5a5ce382b8fd43014d39e5a59f788c4b4f66d943b48ad8

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anubis_Cracker_v1.2.1/mstscax.dll
Size

6.3MB
MD5

d2ecfeb7878010245ab8b3df577bb33a
SHA1

5c0fa6f27812731b2e69e9fa9b65fed6a9e5a6dd
SHA256

2ace1854323cd9a19a96f7b1eb079580afe480483b10bc5058a811207a5a455b
SHA512

575c68a58dd358afedae7c7bee12b1c23b906ed88dc5c0251e8d92343427dc335622bbb9ae665fc98f5e9b6238310c198421fddcbd5f93026b339103e3b40be5
SSDEEP

196608:uJ0gWhydrU/OHs3xJC5yhjm8w2ZlJalR2BhakBaevJp/4OnnlRCNtdIohyiiPPQo:+0gWhydrUmHs3xE0jm8w2XJs4BhakBaQ

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Anubis_Cracker_v1.2.1\\mstscax.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1230201-1439-4E62-A414-190D0AC3D40E}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Anubis_Cracker_v1.2.1\\mstscax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Anubis_Cracker_v1.2.1\\mstscax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D54BC4E-1028-45D4-8B0A-B9B6BFFBA176}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\NumMethods\ = "6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{011C3236-4D81-4515-9143-067AB630D299}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079863B7-6D47-4105-8BFE-0CDCB360E67D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteDesktopClient.RemoteDesktopClient	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57D25668-625A-4905-BE4E-304CAA13F89C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230204-D6A7-11D8-B9FD-000BDBD1F198}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteDesktopClient.RemoteDesktopClient\ = "RemoteDesktopClient Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A0F2A7-2713-431F-BBAC-6F4558E7D64D}\ = "IRemoteDesktopClientSettings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230206-9A39-4D58-8674-CDB4DFF4E73B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\Control	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Anubis_Cracker_v1.2.1\\mstscax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D54BC4E-1028-45D4-8B0A-B9B6BFFBA176}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57D25668-625A-4905-BE4E-304CAA13F89C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{011C3236-4D81-4515-9143-067AB630D299}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAB16C5D-EED1-4E95-868B-0FBA1B42C092}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{011C3236-4D81-4515-9143-067AB630D299}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48A0F2A7-2713-431F-BBAC-6F4558E7D64D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D54BC4E-1028-45D4-8B0A-B9B6BFFBA176}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D5B21AC-748D-41DE-8F30-E15169586BD4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079863B7-6D47-4105-8BFE-0CDCB360E67D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D54BC4E-1028-45D4-8B0A-B9B6BFFBA176}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4247E044-9271-43A9-BC49-E2AD9E855D62}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89ACB528-2557-4D16-8625-226A30E97E9A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{079863B7-6D47-4105-8BFE-0CDCB360E67D}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\ProxyStubClsid32\ = "{A1230201-1439-4E62-A414-190D0AC3D40E}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\ = "ITSRemoteProgram2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D54BC4E-1028-45D4-8B0A-B9B6BFFBA176}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D54BC4E-1028-45D4-8B0A-B9B6BFFBA176}\ = "IRemoteDesktopClientActions"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{260EC22D-8CBC-44B5-9E88-2A37F6C93AE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1230201-1439-4E62-A414-190D0AC3D40E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57D25668-625A-4905-BE4E-304CAA13F89C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28904001-04B6-436C-A55B-0AF1A0883DC9}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{011C3236-4D81-4515-9143-067AB630D299}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Anubis_Cracker_v1.2.1\\mstscax.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3BC03A0-041D-42E3-AD22-882B7865C9C5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4247E044-9271-43A9-BC49-E2AD9E855D62}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89ACB528-2557-4D16-8625-226A30E97E9A}\ = "IMsRdpClientAdvancedSettings8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{079863B7-6D47-4105-8BFE-0CDCB360E67D}\TypeLib\ = "{8C11EFA1-92C3-11D1-BC1E-00C04FA31489}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D5B21AC-748D-41DE-8F30-E15169586BD4}\ProxyStubClsid32	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Anubis_Cracker_v1.2.1\mstscax.dll
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads