3713babf5fbbbcf85cf64d29a097708bfe1ad471409f5d0ec914884be402df86

Analysis

max time kernel
133s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3713babf5fbbbcf85cf64d29a097708bfe1ad471409f5d0ec914884be402df86_NeikiAnalytics.dll
Size

1.2MB
MD5

559c43b38eb9cda558975284c08e6380
SHA1

8a23f1f8148e4b9cc9c20b3be56b39e9b0dab5ed
SHA256

3713babf5fbbbcf85cf64d29a097708bfe1ad471409f5d0ec914884be402df86
SHA512

5171bb84e6301c2977262d5bf105abeea1b18be911ccfd956c4863c586d2399f697dd5b7e1f15756179c813adf40cd326a300f3b7f3390af0959ebe63f7ba703
SSDEEP

12288:JE6N7PFEDWJihVbjnEPBgQVl4lPaH8dn/StuEm2XwZyAopv+4Apovq/:JE27PFEUQU6l4yn/StM2WfC+4Apiq/

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MaxInstances = "4294967295"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MaxOutputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\NumAPOInterfaces = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\ = "DolbyDAX2APO Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\0	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MinOutputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\ = "DolbyDAX2APODlllib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\FriendlyName = "CDolbyDAX2APO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MajorVersion = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MinorVersion = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\Flags = "12"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MaxInputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{18A5395C-F7C7-45D1-8D6D-F6BF56FE9427}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3713babf5fbbbcf85cf64d29a097708bfe1ad471409f5d0ec914884be402df86_NeikiAnalytics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{18A5395C-F7C7-45D1-8D6D-F6BF56FE9427}\ = "DolbyDAX2APOvlldp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DolbyDAX2APOvlldp.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DolbyDAX2APOvlldp.DLL\AppID = "{18A5395C-F7C7-45D1-8D6D-F6BF56FE9427}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3713babf5fbbbcf85cf64d29a097708bfe1ad471409f5d0ec914884be402df86_NeikiAnalytics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\Copyright = "Copyright (c) Dolby Laboratories"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\MinInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}\APOInterface0 = "{4DC8B9CB-6372-496E-8C95-882EAC5C1F4F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9916F9D-99F7-11E7-BF21-6C0B849889E1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60FA4865-0741-4394-A275-C63D43B8C2E1}\1.0	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3713babf5fbbbcf85cf64d29a097708bfe1ad471409f5d0ec914884be402df86_NeikiAnalytics.dll
1⤵
- Modifies registry class
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4204,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...