Overview
overview
10Static
static
10GlobalProt...th.dll
windows7-x64
1GlobalProt...th.dll
windows10-2004-x64
1GlobalProt...64.dll
windows7-x64
1GlobalProt...64.dll
windows10-2004-x64
1GlobalProt...ip.dll
windows7-x64
1GlobalProt...ip.dll
windows10-2004-x64
1GlobalProt...fs.jar
windows7-x64
1GlobalProt...fs.jar
windows10-2004-x64
1GlobalProt...er.jar
windows7-x64
1GlobalProt...er.jar
windows10-2004-x64
1GlobalProt...ce.dll
windows7-x64
3GlobalProt...ce.dll
windows10-2004-x64
3GlobalProt...ce.dll
windows7-x64
5GlobalProt...ce.dll
windows10-2004-x64
5GlobalProt...n.html
windows7-x64
3GlobalProt...n.html
windows10-2004-x64
5GlobalProt...EN.exe
windows7-x64
1GlobalProt...EN.exe
windows10-2004-x64
1GlobalProt...N.html
windows7-x64
3GlobalProt...N.html
windows10-2004-x64
5GlobalProt...W.html
windows7-x64
3GlobalProt...W.html
windows10-2004-x64
5GlobalProt...im.dll
windows7-x64
5GlobalProt...im.dll
windows10-2004-x64
5GlobalProt...sc.dll
windows7-x64
5GlobalProt...sc.dll
windows10-2004-x64
5GlobalProt....1.jar
windows7-x64
1GlobalProt....1.jar
windows10-2004-x64
1GlobalProt....0.jar
windows7-x64
7GlobalProt....0.jar
windows10-2004-x64
7GlobalProt....0.jar
windows7-x64
1GlobalProt....0.jar
windows10-2004-x64
1Analysis
-
max time kernel
1372s -
max time network
1164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 09:06
Behavioral task
behavioral1
Sample
GlobalProtect64/jre/bin/w2k_lsa_auth.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
GlobalProtect64/jre/bin/w2k_lsa_auth.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
GlobalProtect64/jre/bin/windowsaccessbridge-64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
GlobalProtect64/jre/bin/windowsaccessbridge-64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
GlobalProtect64/jre/bin/zip.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
GlobalProtect64/jre/bin/zip.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
GlobalProtect64/jre/lib/jrt-fs.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
GlobalProtect64/jre/lib/jrt-fs.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
GlobalProtect64/launcher.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
GlobalProtect64/launcher.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
GlobalProtect64/lib32/RTDService.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
GlobalProtect64/lib32/RTDService.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
GlobalProtect64/lib64/RTDService.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
GlobalProtect64/lib64/RTDService.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
GlobalProtect64/license_en.html
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral16
Sample
GlobalProtect64/license_en.html
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
GlobalProtect64/license_us_EN.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral18
Sample
GlobalProtect64/license_us_EN.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
GlobalProtect64/license_zh_CN.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
GlobalProtect64/license_zh_CN.html
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
GlobalProtect64/license_zh_TW.html
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
GlobalProtect64/license_zh_TW.html
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
GlobalProtect64/npthinkorswim.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
GlobalProtect64/npthinkorswim.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
GlobalProtect64/nptossc.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
GlobalProtect64/nptossc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
GlobalProtect64/suit/1979.1.503/VeracodeAnnotations-1.2.1.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
GlobalProtect64/suit/1979.1.503/VeracodeAnnotations-1.2.1.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
GlobalProtect64/suit/1979.1.503/jna-5.7.0.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
GlobalProtect64/suit/1979.1.503/jna-5.7.0.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
GlobalProtect64/suit/1979.1.503/jna-platform-5.7.0.jar
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
GlobalProtect64/suit/1979.1.503/jna-platform-5.7.0.jar
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
GlobalProtect64/lib64/RTDService.dll
-
Size
442KB
-
MD5
7188ba7f46dbbe324472c22a814a884a
-
SHA1
dc855cbeef47a1945baebbf1b7abe7f9ed718549
-
SHA256
bf9b6a71f3c71ad3cbdb12f1d37cca025aafc1afc0120c783acb83e8ce54c3e5
-
SHA512
bba1af40d5f182380e20587282e8cb037f0dbf91ec28ae2ef2f88336fa155e8dcd4e4ffe27b6a7e3b2a3be67695e1c69c1d0a37d6bf6eb4ceafbf4543095e5ca
-
SSDEEP
6144:+mXdszM4ebIDp9FB7qJG8Ti1rrvcjr2s1Hw0q6aCxWRCmTYh5U:+g2MlbkFB7qJGZpGalR7
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\ProgId\ = "Tos.RTD" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\ = "Tos.RTD" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tos.RTD\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\0\Win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\ = "Tos.RTD" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\ProgId regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\TypeLib\ = "{BA792DC8-807E-43E3-B484-47465D82C4D1}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\0\ = "win32" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\0\Win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GlobalProtect64\\lib64\\RTDService.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tos.RTD\ = "Tos.RTD" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tos.RTD\CLSID\ = "{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\ = "Tos.RTD" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA792DC8-807E-43E3-B484-47465D82C4D1}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tos.RTD regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B415BA9-E543-41BD-8EB1-CB12A5B7678F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GlobalProtect64\\lib64\\RTDService.dll" regsvr32.exe