b0db11cb8d232f65a27118734a477a2b3d3f0d5e8170f966ba82309cd437c114

Analysis

max time kernel
133s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 11:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AVG Anti-Spyware/shellexecutehook64.dll
Size

123KB
MD5

34cacc39cb68b058ec5c19c9514d789a
SHA1

fd8f1f4be91da2d3b15f77071199f61b79c2b7a8
SHA256

05f911cce21651df77afa881ceef51b66de1aee2b3f7de97fa976e7f6203e1d3
SHA512

b9a243784db9ec4dcce7ad6fb3ddfad72384a67b0f140caf7e31f24b79eac02c10e6c2f730e08ef9d1cfbef8de09052cfe1c89591bb2b8fddeb0ed95e075b2e9
SSDEEP

3072:VZS8v8aGyg3wFalgNfuCe9l/HNHqOEMTtgoLmjO1:Vo8Ehyg3wFaEuCe/vBYjNj0

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImpl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\shellexecutehook.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImp.1\ = "CShellExecuteHookImpl Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImpl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\VersionIndependentProgID\ = "shellexecutehook.CShellExecuteHookImpl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AVG Anti-Spyware\\shellexecutehook64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\TypeLib\ = "{92F51889-D476-4BC8-BD21-B30744A5EF51}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImp.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImpl\ = "CShellExecuteHookImpl Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AVG Anti-Spyware\\shellexecutehook64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImp.1\CLSID\ = "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\ProgID\ = "shellexecutehook.CShellExecuteHookImp.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\shellexecutehook.DLL\AppID = "{92F51889-D476-4BC8-BD21-B30744A5EF51}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\ = "CShellExecuteHookImpl Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\AppID = "{92F51889-D476-4BC8-BD21-B30744A5EF51}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImpl	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{92F51889-D476-4BC8-BD21-B30744A5EF51}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImpl\CLSID\ = "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImpl\CurVer\ = "shellexecutehook.CShellExecuteHookImp.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\ = "shellexecutehook 1.0 Typbibliothek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92F51889-D476-4BC8-BD21-B30744A5EF51}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{92F51889-D476-4BC8-BD21-B30744A5EF51}\ = "shellexecutehook"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellexecutehook.CShellExecuteHookImp.1	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\AVG Anti-Spyware\shellexecutehook64.dll"
1⤵
- Modifies registry class
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads