Overview
overview
10Static
static
3Config/cy.vbs
windows7-x64
1Config/cy.vbs
windows10-2004-x64
1Config/fold.vbs
windows7-x64
1Config/fold.vbs
windows10-2004-x64
1Data/libifcoremd.dll
windows7-x64
1Data/libifcoremd.dll
windows10-2004-x64
1Data/msdia100.dll
windows7-x64
7Data/msdia100.dll
windows10-2004-x64
7Data/mysql...ors.js
windows7-x64
3Data/mysql...ors.js
windows10-2004-x64
3MigrationS...cs.dll
windows7-x64
1MigrationS...cs.dll
windows10-2004-x64
1MigrationS...es.dll
windows7-x64
1MigrationS...es.dll
windows10-2004-x64
1MigrationS...st.exe
windows7-x64
1MigrationS...st.exe
windows10-2004-x64
1MigrationS...p2.exe
windows7-x64
1MigrationS...p2.exe
windows10-2004-x64
1MigrationS...ct.exe
windows7-x64
1MigrationS...ct.exe
windows10-2004-x64
1MigrationS...st.exe
windows7-x64
1MigrationS...st.exe
windows10-2004-x64
1Rapid/Refl...001.js
windows7-x64
3Rapid/Refl...001.js
windows10-2004-x64
3Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
3libcrypto-3.dll
windows7-x64
3libcrypto-3.dll
windows10-2004-x64
3libssl-3.dll
windows7-x64
3libssl-3.dll
windows10-2004-x64
3swscale-6.dll
windows7-x64
1swscale-6.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 05:32
Static task
static1
Behavioral task
behavioral1
Sample
Config/cy.vbs
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
Config/cy.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Config/fold.vbs
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Config/fold.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Data/libifcoremd.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Data/libifcoremd.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Data/msdia100.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral8
Sample
Data/msdia100.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Data/mysqli_query_iterators.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Data/mysqli_query_iterators.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
MigrationService/System.Security.Cryptography.Pkcs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
MigrationService/System.Security.Cryptography.Pkcs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
MigrationService/VBoxRes.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
MigrationService/VBoxRes.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
MigrationService/helper/bin/ahost.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
MigrationService/helper/bin/ahost.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
MigrationService/helper/bin/bzip2.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
MigrationService/helper/bin/bzip2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
MigrationService/helper/bin/connect.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
MigrationService/helper/bin/connect.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
MigrationService/helper/bin/trust.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
MigrationService/helper/bin/trust.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Rapid/ReflectionType_001.js
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral24
Sample
Rapid/ReflectionType_001.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Setup.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral26
Sample
Setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
libcrypto-3.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
libcrypto-3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
libssl-3.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
libssl-3.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
swscale-6.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
swscale-6.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Data/msdia100.dll
-
Size
966KB
-
MD5
58b80d366d68b524e1b4fbb4c7dbc511
-
SHA1
c42756154a35923542317fae2376497d0035c51b
-
SHA256
e3893c35187b0dd848758979ebd0d766fc99f918ec9e685297f7d6ca080f122d
-
SHA512
7754b6f9093ddec47ae2679a32a6b9d8595bb2abf25eb8ee2043efcf68449d17cc9ed109e59c25ec19f476ba1bc70c4de51fa6f3be1d98d6e3894ccf419a2122
-
SSDEEP
12288:tc2YwE7VSxeUMUCcTd8Ht4lYyF2f78oyoMZggTSy:S2DE7oxeUXfaHtkYZjiQg2y
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B86AE24D-BF2F-4AC9-B5A2-34B14E4CE11D}\ = "Debug Information Accessor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B86AE24D-BF2F-4AC9-B5A2-34B14E4CE11D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B86AE24D-BF2F-4AC9-B5A2-34B14E4CE11D}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3E90253-8E14-49A5-AA30-2E7B798AB839}\ = "Debug Information Accessor w/o Global Memory Usage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA05B6F-BD22-490E-A7B0-32D821C9046C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3E90253-8E14-49A5-AA30-2E7B798AB839}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data\\msdia100.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3E90253-8E14-49A5-AA30-2E7B798AB839}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA05B6F-BD22-490E-A7B0-32D821C9046C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B86AE24D-BF2F-4AC9-B5A2-34B14E4CE11D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data\\msdia100.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3E90253-8E14-49A5-AA30-2E7B798AB839}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA05B6F-BD22-490E-A7B0-32D821C9046C}\ = "Generic StackWalker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data\\msdia100.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B86AE24D-BF2F-4AC9-B5A2-34B14E4CE11D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3E90253-8E14-49A5-AA30-2E7B798AB839} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA05B6F-BD22-490E-A7B0-32D821C9046C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBA05B6F-BD22-490E-A7B0-32D821C9046C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data\\msdia100.dll" regsvr32.exe