38130c93482996bc6b4828242f63ec0ffb63209409cf92fc9d851f14ee18366c

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$8/ClownfshAPO64.dll
Size

346KB
MD5

2615829ece553a2aac5f9a03cfcacac2
SHA1

4f271a3d659b4c41ae4b578afe3ce34df4d6a1e7
SHA256

2bc1826abffe6bd74c7352607ed15e7b37c205060a8c27c10bf205b067be380f
SHA512

30c3a462604425b4eb20e5732dc519f9a36b77c6c54f26d9a36995631f6222cfbe37a6b2363d68f9956ed5fe2c4323f8051b2cac6acd9c1dc2b3daaac31e4c8f
SSDEEP

6144:XFaPoCUb5nttyhD5Axo3J1+neolsX4m9V5CQVRpKsVjJfuslgH:XkPQb/S6KOeolsXPvUCJU

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\Copyright = "Developed in Shark Labs, Sofia, 2016-2021"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\Flags = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\ = "ClownfishAPO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MaxOutputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MaxInstances = "4294967295"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MajorVersion = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MinInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MaxInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MinorVersion = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$8\\ClownfshAPO64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\FriendlyName = "ClownfishAPO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\MinOutputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{80E0C6D1-9465-43B2-9BD5-27A3A56CF1B3}\NumAPOInterfaces = "1"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$8\ClownfshAPO64.dll
1⤵
- Modifies registry class
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads