36ca1c778e85cf4304756ef559efcb3d13a0e37e22150234e7d9a99edb6430b8

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ca1c778e85cf4304756ef559efcb3d13a0e37e22150234e7d9a99edb6430b8.dll
Size

82KB
MD5

a33139a5bc4bc2e46dad0e86299aacdb
SHA1

b12871182ffb7e58432b0da2510ab270e4d2e313
SHA256

36ca1c778e85cf4304756ef559efcb3d13a0e37e22150234e7d9a99edb6430b8
SHA512

44f4f80b99b65e51f8eae557f160bdcea3eed4638e4147b1092b5fb38549b6e871e29d5afad72d021c123ed7129e6aba92e68d4aa7be1bd91323bff59d077725
SSDEEP

768:hDHH/9OZdIAylNo8GAEgJzk0xS74/6uRzGvOtDbE9yDGFoyUEAp:hT/9Orgbo8GAEghk0xS7SW9roXp

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C9430E9-299D-4E6F-BD01-A82A1E88D3FF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E}\ = "IAccessibleApplication"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01C20F2B-3DD2-400F-949F-AD00BDAB1D41}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5}\NumMethods\ = "9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C48C7FCF-4AB5-4056-AFA6-902D6E1D1149}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C48C7FCF-4AB5-4056-AFA6-902D6E1D1149}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01C20F2B-3DD2-400F-949F-AD00BDAB1D41}\ = "IAccessibleHyperlink"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9}\ = "IAccessibleHypertext"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF64D89F-8287-4B44-8501-A827453A6077}\ = "IAccessibleHypertext2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF64D89F-8287-4B44-8501-A827453A6077}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6167F295-06F0-4CDD-A1FA-02E25153D869}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}\NumMethods\ = "10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C9430E9-299D-4E6F-BD01-A82A1E88D3FF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5}\ = "IAccessibleAction"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7CDF86EE-C3DA-496A-BDA4-281B336E1FDC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35AD8070-C20C-4FB4-B094-F4F7275DD469}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01C20F2B-3DD2-400F-949F-AD00BDAB1D41}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF64D89F-8287-4B44-8501-A827453A6077}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C9430E9-299D-4E6F-BD01-A82A1E88D3FF}\NumMethods\ = "49"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5BE18059-762E-4E73-9476-ABA294FED411}\NumMethods\ = "50"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C9430E9-299D-4E6F-BD01-A82A1E88D3FF}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B4F8BBF-F1F2-418A-B35E-A195BC4103B9}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6167F295-06F0-4CDD-A1FA-02E25153D869}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9690A9CC-5C80-4DF5-852E-2D5AE4189A54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9690A9CC-5C80-4DF5-852E-2D5AE4189A54}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9690A9CC-5C80-4DF5-852E-2D5AE4189A54}\NumMethods\ = "23"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C48C7FCF-4AB5-4056-AFA6-902D6E1D1149}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6167F295-06F0-4CDD-A1FA-02E25153D869}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35AD8070-C20C-4FB4-B094-F4F7275DD469}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6167F295-06F0-4CDD-A1FA-02E25153D869}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A59AA09A-7011-4B65-939D-32B1FB5547E3}\ = "IAccessibleEditableText"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1546D4B0-4C98-4BDA-89AE-9A64748BDDE4}\ = "IAccessibleComponent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35855B5B-C566-4FD0-A7B1-E65465600394}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35855B5B-C566-4FD0-A7B1-E65465600394}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35855B5B-C566-4FD0-A7B1-E65465600394}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D49DED83-5B25-43F4-9B95-93B44595979E}\NumMethods\ = "7"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE}\ = "IAccessibleImage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE5ABB3D-615E-4F7B-909F-5F0EDA9E8DDE}\NumMethods\ = "6"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35AD8070-C20C-4FB4-B094-F4F7275DD469}\NumMethods\ = "32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24FD2FFB-3AAD-4A08-8335-A3AD89C0FB4B}\NumMethods\ = "22"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E89F726E-C4F4-4C19-BB19-B647D7FA8478}\ProxyStubClsid32\ = "{E89F726E-C4F4-4C19-BB19-B647D7FA8478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B70D9F59-3B5A-4DBA-AB9E-22012F607DF5}\ProxyStubClsid32	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\36ca1c778e85cf4304756ef559efcb3d13a0e37e22150234e7d9a99edb6430b8.dll
1⤵
- Modifies registry class
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...