b48981cacda09af3e47a1bf322949b7a12749f93a2fbc2b63b33aae5563ad848

Analysis

max time kernel
316s
max time network
1608s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-07-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_45_/driver/$R0.dll
Size

223KB
MD5

5b3896272ddd7f58fcbfbe0b4212e67a
SHA1

cdf2ab2a56b9dd8473d01f68780fd190531dc013
SHA256

675224ec12c25e0c8792fd736bca8589da7311ad801b7f307b37a6f3105071a9
SHA512

566a496ad0fcf9cfd41cc6745a246821a7154cb4cf3fe53c98321871a0365d2b4d84ee075093255f794110988e0504b435005e1c009fc286557771079d77c7f3
SSDEEP

3072:ExMi9XRe4X2fRlHwdr/TAAkghhnEudvTNV3R+fTrl9fUZz2fIbkDjCRsn8NA/:563X2fjErLTjnEudX3R+XlhjIUc1C/

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\TypeLib\Version = "1.f0ae"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_45_\\driver\\$R0.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\TypeLib\ = "{13E3F2E1-DC3D-462E-9F25-59022BD86593}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_45_\\driver"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\ = "AudioDeviceFXPluginAPI"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\TypeLib\ = "{13E3F2E1-DC3D-462E-9F25-59022BD86593}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\ = "IControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\ = "CControl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\ = "IControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\TypeLib\Version = "1.f0ae"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4F00BE60-106C-11E6-A837-0800200C9A66}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_45_\\driver\\$R0.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13E3F2E1-DC3D-462E-9F25-59022BD86593}\1.f0ae\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F00BE61-106C-11E6-A837-0800200C9A66}\TypeLib\ = "{13E3F2E1-DC3D-462E-9F25-59022BD86593}"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_45_\driver\$R0.dll
1⤵
- Modifies registry class
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads