Overview
overview
7Static
static
3MaestroPro v9.zip
windows10-2004-x64
1AUTORUN.inf
windows10-2004-x64
1Disk1/0x0409.ini
windows10-2004-x64
1Disk1/ISSetup.dll
windows10-2004-x64
1Disk1/data1.cab
windows10-2004-x64
1Disk1/data1.hdr
windows10-2004-x64
3Disk1/data2.cab
windows10-2004-x64
1Disk1/engine32.cab
windows10-2004-x64
1DotNetInstaller.exe
windows10-2004-x64
1IScript.dll
windows10-2004-x64
1IUser.dll
windows10-2004-x64
1IsProBE9x.tlb
windows10-2004-x64
3IsProBENT.tlb
windows10-2004-x64
3ctor.dll
windows10-2004-x64
1iKernel.rgs
windows10-2004-x64
3ikernel.dll
windows10-2004-x64
1objectps.dll
windows10-2004-x64
1Disk1/layout.bin
windows10-2004-x64
3Disk1/setup.boot
windows10-2004-x64
3Disk1/setup.exe
windows10-2004-x64
4Disk1/setup.ini
windows10-2004-x64
1Disk1/setup.inx
windows10-2004-x64
3Manuals/OR...es.pdf
windows10-2004-x64
1Manuals/V9...al.pdf
windows10-2004-x64
1Support/vc...86.exe
windows10-2004-x64
7Analysis
-
max time kernel
446s -
max time network
451s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2024 14:59
Static task
static1
Behavioral task
behavioral1
Sample
MaestroPro v9.zip
Resource
win10v2004-20231222-en
Behavioral task
behavioral2
Sample
AUTORUN.inf
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Disk1/0x0409.ini
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
Disk1/ISSetup.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Disk1/data1.cab
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
Disk1/data1.hdr
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
Disk1/data2.cab
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
Disk1/engine32.cab
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
DotNetInstaller.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
IScript.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
IUser.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
IsProBE9x.tlb
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
IsProBENT.tlb
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
ctor.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
iKernel.rgs
Resource
win10v2004-20231215-en
Behavioral task
behavioral16
Sample
ikernel.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral17
Sample
objectps.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
Disk1/layout.bin
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
Disk1/setup.boot
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
Disk1/setup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
Disk1/setup.ini
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
Disk1/setup.inx
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
Manuals/ORTEC File Structures.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
Manuals/V9 Users Manual.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
Support/vc_redist.x86.exe
Resource
win10v2004-20231215-en
General
-
Target
objectps.dll
-
Size
32KB
-
MD5
f68ba4725d1aaf180ff33cf18d262c5e
-
SHA1
c80aa11dac0425dcc41e44a955036dbbb773cdc9
-
SHA256
dfb91bc980fd1267fb8032b0d36c72d08fca03bb723d895be481ae7d275174e4
-
SHA512
7aba373385f2d7a9d4bba03facc2df50bb1a644580fcfbfabab090bccc835b25c48a8432325d1bf380795e92a700e45a8615138a609e8848dc7f82c9b4cfdbc8
-
SSDEEP
192:wC7QKb0lcjICIpWBCaE0c2ALrk0z+gfJagCaUAgHFWSVDdHVHUCDznkwAzHks5:wrYhCYBWZzrzSeagGfHdDdJUOgss
Malware Config
Signatures
-
Modifies registry class 19 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\objectps.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\Interface regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "ISetupServiceProvider" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods\ = "6" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ = "ISetupObjectClass" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods\ = "5" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1944 wrote to memory of 1612 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1612 1944 regsvr32.exe regsvr32.exe PID 1944 wrote to memory of 1612 1944 regsvr32.exe regsvr32.exe