df9a20022998c7ac11af23fc69f5d42698ed187b4d03b75fa911570c648d9642

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install/AutoItX/AutoItX3.dll
Size

454KB
MD5

eb86fb3ad4445983f7d2b7e11ef7fc21
SHA1

f4442e19970cd6fa82659855f49972648eb34801
SHA256

80e7e298e1d1a9cbaa30b34a896d71018779965d1e03be621d974a64a680668d
SHA512

3cf84ea50498ca897fe77515c17e02385beeee153aa6d2b62dcd89b97eda134d387ed55d62753919e2b299f0658611a991c66a70c96d3c31f6a915912d9743c3
SSDEEP

6144:tFD9Tj6MoGKP0GJ+iCnHpGXqIs/cJojGi35AOS6ItdIa5f2o7/Us:v9Tj6MzKP0r5IjHi35EtdIaf//

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

regsvr32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 61 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\TypeLib\ = "{F8937E53-D444-4E71-9275-35B64210CC3B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\NumMethods\ = "107"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID\ = "{1A671297-FA74-4422-80FA-6C5D8CE4DE04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6E8109C4-F369-415D-AF9A-2AEEFF313234}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ = "AutoItX3 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\ = "AutoItX3 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer\ = "AutoItX3.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX\\AutoItX3.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\ = "AutoItX3 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX\\AutoItX3.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\CLSID\ = "{1A671297-FA74-4422-80FA-6C5D8CE4DE04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\ = "{F8937E53-D444-4E71-9275-35B64210CC3B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\ = "AutoItX3 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ProgID\ = "AutoItX3.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\VersionIndependentProgID\ = "AutoItX3.Control"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6E8109C4-F369-415D-AF9A-2AEEFF313234}\ = "AutoItX3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\ = "{F8937E53-D444-4E71-9275-35B64210CC3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX\\AutoItX3.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 736 wrote to memory of 880	736	regsvr32.exe	regsvr32.exe
PID 736 wrote to memory of 880	736	regsvr32.exe	regsvr32.exe
PID 736 wrote to memory of 880	736	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\install\AutoItX\AutoItX3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\install\AutoItX\AutoItX3.dll
2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads