df9a20022998c7ac11af23fc69f5d42698ed187b4d03b75fa911570c648d9642

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install/AutoItX/AutoItX3_x64.dll
Size

512KB
MD5

f11ae50df86a3bf2aa00625e54d7ebb4
SHA1

9812f16df2b0d1eeb75931348096128448d1179d
SHA256

5c1acd56bf432462e59e05e72d486fad670c4dd7c556df3d3270b827d1bbc555
SHA512

6e6ea547a758e95d75952164ebe5e928dbf46da3875c5aba7332755f5e6a5a98587226cf278ad99f4155f39e42f96f2ece0740554e0531f1293fc762a36bdc01
SSDEEP

12288:rqlTSwWo+9Ma61G0I+r0AYODI8u1zTJsQoHoJtdM5Jca+3E:r+FWo+9eIArFcE5Jca+3E

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 61 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX\\AutoItX3_x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\CLSID\ = "{1A671297-FA74-4422-80FA-6C5D8CE4DE04}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ProgID\ = "AutoItX3.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID\ = "{1A671297-FA74-4422-80FA-6C5D8CE4DE04}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer\ = "AutoItX3.Control.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX\\AutoItX3_x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6E8109C4-F369-415D-AF9A-2AEEFF313234}\ = "AutoItX3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ = "AutoItX3 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\install\\AutoItX\\AutoItX3_x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\TypeLib\ = "{F8937E53-D444-4E71-9275-35B64210CC3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\ = "{F8937E53-D444-4E71-9275-35B64210CC3B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\NumMethods\ = "107"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\ = "{F8937E53-D444-4E71-9275-35B64210CC3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\ = "AutoItX3 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\VersionIndependentProgID\ = "AutoItX3.Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\ = "AutoItX3 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6E8109C4-F369-415D-AF9A-2AEEFF313234}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\ = "AutoItX3 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\install\AutoItX\AutoItX3_x64.dll
1⤵
- Modifies registry class
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads