b48981cacda09af3e47a1bf322949b7a12749f93a2fbc2b63b33aae5563ad848

Analysis

max time kernel
316s
max time network
1587s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-07-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apps/engine/AudioDeviceManagerAPI.x64.dll
Size

170KB
MD5

53891f0fe36fdce6e48fa5269a015737
SHA1

b54e9b6d0c1c07195224c416e533996235649d13
SHA256

8d09810cbbf355a81ecc1c379c5d1bd0e379df37205bbc8eb5aea8dbf7ae2d55
SHA512

08634e567f12c72761bfda57c2c2c7af769b25b39933c32fd389fdfd33a3c5e3b4625662304acf9dc3e93f97200d7a37b9655d9b7786d75e50f418cf74459bd3
SSDEEP

3072:nyfK22ggquZgLyQLg4McJcVURKrhNK0rrsquaP:yy22bgOQXJczIqZP

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apps\\engine\\AudioDeviceManagerAPI.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\ = "AudioDeviceManagerAPI"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\TypeLib\Version = "1.f0ae"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apps\\engine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\TypeLib\ = "{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\ = "CControl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\ = "IControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\TypeLib\ = "{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\ = "IControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\TypeLib\Version = "1.f0ae"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D18DF10-9B84-4DF2-B682-15DA97409284}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}\1.f0ae\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apps\\engine\\AudioDeviceManagerAPI.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D18DF11-9B84-4DF2-B682-15DA97409284}\TypeLib\ = "{CD4DCBF1-F32E-49B6-8C97-7CCA49BB3BB5}"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\apps\engine\AudioDeviceManagerAPI.x64.dll
1⤵
- Modifies registry class
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads