279fcb2ccefca844fcde2a93a4b81e34344b5f7d42a535e62e32df9158b23657

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R0.dll
Size

6.2MB
MD5

a2a795b82a3cdee2758b7d684ec76e17
SHA1

ecc1f1d21816d2f8f2c214fbceca99c96d22eda3
SHA256

08f028b785accae976cf200bcc10f5b60d226f0deeacf72a179ec411cdb20bad
SHA512

f0fa95dad384c6737be7f7a8cab0aa566c80d11c86dd9f3e70f5878d5600beb99ce1b863f825929d06e9715f190c366689288c6be7096c939bbfe86817ed9ef8
SSDEEP

49152:JcB9tzq11q2of8JbwvIFu70ubLCmfN4kzh8yk4SOan9TgGRGB/A1W1UTsLDKIx:g8J4aislwXKs

Score

4^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\ = "Extract Handler Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbi\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbi\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbi\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{08FF5222-38A4-487E-A298-2DCB51EE9E06}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\ = "Thumbnail Handler Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbi	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\ = "Extract Handler Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\ = "Thumbnail Handler Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\ = "Thumbnail Handler Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08FF5222-38A4-487E-A298-2DCB51EE9E06}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbi\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{BE421D53-8625-4E1A-BD04-27904612B7EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd\ShellEx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\ = "ThumbnailLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6CBABD20-3F81-4E0D-B45E-CD8C78C53590}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDC1A7D5-2CDB-4352-B3EE-67C02E369742}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE421D53-8625-4E1A-BD04-27904612B7EF}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ai\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75F9C120-AE93-4372-ACCA-8BF6BB613A02}\TypeLib\ = "{A80022F5-81D2-4F37-AF33-4D79862DC6E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F45976A-9305-4A2F-85B3-E950C29436AA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A80022F5-81D2-4F37-AF33-4D79862DC6E9}\1.0\FLAGS\ = "0"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads