31b5dd4b9119afd13692f5a3d204b139fe78affae1d1ceb6ca426ea59d8a1df1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Private Key/AUTHZAX.dll
Size

67KB
MD5

6d7aaaadf2bb5a485c9af58f73641379
SHA1

0cf59ade584b41a987cd256172633d5f78bdd64d
SHA256

21bd2da73c0fd41e35999b01e695e8187741812a138494ad4b2d3c4e5241937d
SHA512

ce97970c9cd42944c4d08438962297e3215595254776db6d732298984ccd9ee8778ec83b5f39d229d89b6fc4c0d49647a78120fce0acc03fa3bb60ea91cfd6b0
SSDEEP

768:hV2w7WuYlsz1Zha3S0EJaKZf3VcvB/2AgbfViz7/TFFGVOucKfsgx9e3PlYZKO+Q:mwJYKs8XMTf7/TX6e3PYKO+oU795Y

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 48 IoCs

Processes:

regsvr32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz\ = "Microsoft Office 14 Authorization Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\ProgID\ = "Office14.Authz.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Private Key"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Private Key\\AUTHZAX.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\TypeLib\ = "{EA3E6E3C-5130-49c1-8EDE-F889CD0F4429}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Private Key\\AUTHZAX.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\TypeLib\ = "{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz.1\CLSID\ = "{C514A18E-862A-45d3-8A5E-62CF54D912B6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz\CLSID\ = "{C514A18E-862A-45d3-8A5E-62CF54D912B6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\VersionIndependentProgID\ = "Office14.Authz"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\ = "IAuthz"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz\CurVer\ = "Office14.Authz.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\ = "IAuthz"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz.1\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\ = "Microsoft Office 14 Authorization Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Office14.Authz.1\ = "Microsoft Office 14 Authorization Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\ = "Microsoft Office 14 Authorization Control 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4BB23A-FDE6-4A95-A383-10F092CA43D7}\TypeLib\ = "{EA3E6E3C-5130-49C1-8EDE-F889CD0F4429}"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Private Key\AUTHZAX.dll"
1⤵
- Modifies registry class
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads