653eff5e9cd0da495b965c815565fa04eb509a221388c5fb73a297ea9c07f2d2

General

Target

653eff5e9cd0da495b965c815565fa04eb509a221388c5fb73a297ea9c07f2d2.dll
Size

90KB
MD5

331d05adfcec9ac63b22f95c53b88000
SHA1

50a9c54ca0fc9b854ae3d5a59d1596bc671bc4ba
SHA256

653eff5e9cd0da495b965c815565fa04eb509a221388c5fb73a297ea9c07f2d2
SHA512

90896ce42eb5b361dec210bd89fe622ba8aaed109a6998ab6fedbb5c22d74e6baaaa98cafdcb99fecede7fc420266ce3ebfb08f140a9d1c676b0070c51cd209d
SSDEEP

1536:1i7Tj7N01wgPBxLcsywUBvs8P/1UBPGxU5cvTa:1i/fNaFDmwUBvTP/1UBPGxU5cG

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\653eff5e9cd0da495b965c815565fa04eb509a221388c5fb73a297ea9c07f2d2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D92E2C-15BB-453B-8DE0-101A875868D1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084B4D42-902B-4115-BFA6-2963DAF36074}\ = "_IGPSInterfaceEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084B4D42-902B-4115-BFA6-2963DAF36074}\NumMethods\ = "20"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E20A7169-6D58-462B-BD32-3756AACBBD15}\NumMethods\ = "210"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D92E2C-15BB-453B-8DE0-101A875868D1}\ = "IDeviceManager"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D92E2C-15BB-453B-8DE0-101A875868D1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E327C33-B030-4733-B3B9-2F3B367C365A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E327C33-B030-4733-B3B9-2F3B367C365A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A988A78-0434-4DED-A5D2-B1531057262A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{306E6305-5027-4805-92B2-192A1E5E6AC9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2019DA4-DC75-431C-9EFE-15D9BFDD58B4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{306E6305-5027-4805-92B2-192A1E5E6AC9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{306E6305-5027-4805-92B2-192A1E5E6AC9}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D92E2C-15BB-453B-8DE0-101A875868D1}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E327C33-B030-4733-B3B9-2F3B367C365A}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E20A7169-6D58-462B-BD32-3756AACBBD15}\ = "ITotalStation"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C595D6A3-6B5D-4DAC-83D0-2C4826864D54}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084B4D42-902B-4115-BFA6-2963DAF36074}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A56DF91-D6A2-402C-A892-92CC79BD7C60}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A56DF91-D6A2-402C-A892-92CC79BD7C60}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C595D6A3-6B5D-4DAC-83D0-2C4826864D54}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C595D6A3-6B5D-4DAC-83D0-2C4826864D54}\ = "_InternalDeviceInitializationGNSS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{448133B5-1491-47C3-BF42-00C3CB6F7811}\ = "ITsCapabilities"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\653eff5e9cd0da495b965c815565fa04eb509a221388c5fb73a297ea9c07f2d2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\ = "IGPSInterface"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C595D6A3-6B5D-4DAC-83D0-2C4826864D54}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{448133B5-1491-47C3-BF42-00C3CB6F7811}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{306E6305-5027-4805-92B2-192A1E5E6AC9}\ = "_ITotalStationEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E327C33-B030-4733-B3B9-2F3B367C365A}\NumMethods\ = "88"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A56DF91-D6A2-402C-A892-92CC79BD7C60}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C595D6A3-6B5D-4DAC-83D0-2C4826864D54}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2019DA4-DC75-431C-9EFE-15D9BFDD58B4}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D92E2C-15BB-453B-8DE0-101A875868D1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A988A78-0434-4DED-A5D2-B1531057262A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A988A78-0434-4DED-A5D2-B1531057262A}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A56DF91-D6A2-402C-A892-92CC79BD7C60}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{448133B5-1491-47C3-BF42-00C3CB6F7811}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}\NumMethods\ = "111"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{306E6305-5027-4805-92B2-192A1E5E6AC9}\NumMethods\ = "11"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBE67F0C-D30F-4776-A45A-88B4461A4E19}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBE67F0C-D30F-4776-A45A-88B4461A4E19}\ = "IGenericDevice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{448133B5-1491-47C3-BF42-00C3CB6F7811}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBE67F0C-D30F-4776-A45A-88B4461A4E19}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084B4D42-902B-4115-BFA6-2963DAF36074}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E20A7169-6D58-462B-BD32-3756AACBBD15}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A988A78-0434-4DED-A5D2-B1531057262A}\ = "_InternalDeviceInitializationTS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2019DA4-DC75-431C-9EFE-15D9BFDD58B4}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{306E6305-5027-4805-92B2-192A1E5E6AC9}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBE67F0C-D30F-4776-A45A-88B4461A4E19}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E327C33-B030-4733-B3B9-2F3B367C365A}\ = "IGnssCapabilities"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2019DA4-DC75-431C-9EFE-15D9BFDD58B4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2019DA4-DC75-431C-9EFE-15D9BFDD58B4}\ = "ISurveyToolsServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95D92E2C-15BB-453B-8DE0-101A875868D1}\NumMethods\ = "12"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A988A78-0434-4DED-A5D2-B1531057262A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C595D6A3-6B5D-4DAC-83D0-2C4826864D54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{448133B5-1491-47C3-BF42-00C3CB6F7811}\ProxyStubClsid32\ = "{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D7D5403-D389-4D7E-96AB-6A47430BC5B2}	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\653eff5e9cd0da495b965c815565fa04eb509a221388c5fb73a297ea9c07f2d2.dll
1⤵
- Registers COM server for autorun
- Modifies registry class
PID:1336