1bbae7fd65ce859fdebbef69b00e51de4940b85cbf3171f0199f444677b42ae5

Analysis

max time kernel
91s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Repository/dsprov.dll
Size

202KB
MD5

c390f856b2d7e9271ccc7098d38df01b
SHA1

5f519d7675a4bacdb3cf0c7cfa7a7145f28a93ca
SHA256

6a0a91883c5a56125a12d36ef79dfa9f8be8986b2b9387b5b9712f793555308c
SHA512

a17758b1fe9ed2f596a08c1b4ba915a031278768d32149e884c8ed706b587c0e326b73790460eccf906cbe3a5e3e290492eee013178cc085d03101ede493e84d
SSDEEP

3072:4oSq0b8JS+2Vnz2H/YXQi78lXqeTb3BnacfGgn5SNF2:4oN0xLW+Qi78ZTtnzX5S

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA527A40-4D9A-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{1EF94880-01A8-11D2-A90B-00AA00BF3363}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771}\InprocServer32	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Repository\dsprov.dll
1⤵
- Modifies registry class
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...