785d71950c369a273ded2c1e4159b0d06bcd9fd63a5eefb2288ba77bbfc2b67d

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/01/2025, 00:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123/psmachine.dll
Size

250KB
MD5

a47b9c0e96070d89e9dc65358c81538d
SHA1

719f2688f1bbb7e65acc9cacf1e50ad461d5ee7a
SHA256

ea5f4746aa8ccc63d4265d7bf860df53249c284924d824cffd5b11fdd980fa4e
SHA512

cbf0b4566259d45db48d9643e1a32aefef4dd1b869f79ba6c77096bc0e9f8b351fafa0b4b72c9aaefcea7f0477e7af9e23b7e97858a8d5f422895b2ea4e63300
SSDEEP

6144:8X2kclmHZ3aTIOOYO5OI4ENxNGEilD/am21:8X2kccHdaTIOOYdgxwE2Q1

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}\ = "IGoogleUpdate3WebSecurity"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}\ = "IProcessLauncher"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C974F2DD-CFB8-4466-8E6D-96ED901DAACA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24D704AD-AC42-49F2-BB4F-68BA77C98E91}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91B050A9-5A49-4249-A8C8-B4390961A912}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\ = "IAppWeb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ = "ICoCreateAsyncStatus"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\NumMethods\ = "43"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1985533F-9B0F-490A-85C5-24F316E66FB2}\NumMethods\ = "41"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35A4470F-5EEC-4715-A2DC-6AA9F8E21183}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\ = "IAppCommand2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A4BCDF52-2179-4C77-8C5F-B8095712B563}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{06B74C04-E813-4DD4-A972-172836EFA8D6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\123\\psmachine.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C11C073F-E6D0-4EF7-897B-AAF52498CD2F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB43AAD0-DDBA-4D01-A3E0-FAB100E7926B}\NumMethods\ = "17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9190589-ECEC-43F8-8AEC-62496BB87B26}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CB305B1-4D45-4668-AD91-677F87BED305}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C929BFE-4FA4-488D-B1E2-82ECD6F076C8}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{931E73FD-D487-4458-AA08-1FF41413377B}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{F6E536F5-F795-49CE-A85D-2DA66503C6F1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A147722A-5568-4B84-B401-86D744470CBF}\ = "IApp2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10479D64-2C5F-46CD-9BC8-FD04FF4D02D8}\ = "IGoogleUpdateCore"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{70E5ECF5-2CA7-4019-9B23-916789A13C2C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAE4AD28-500D-43BA-9F54-730CA146C190}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD84E356-3D21-44C8-83DD-6BEEC22FA427}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{F6E536F5-F795-49CE-A85D-2DA66503C6F1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C76BB44-7096-4A8E-A57A-160ED2D47153}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\123\\psmachine.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A24060E-533F-4962-9E15-34BD82555FA7}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8504FB26-FC3E-4C1C-9C94-46EC93E6BA63}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19F4616B-B7DD-4B3F-8084-C81C5C77AAA4}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C663DEBB-F082-4971-9F6E-35DE45C96F4E}\ = "IPackage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6836CFF-5949-44BC-B6BE-9C8C48DD8D97}\ = "ICurrentState"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{F6E536F5-F795-49CE-A85D-2DA66503C6F1}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EFF9CA12-4CD3-474B-B881-CDE1D92F1996}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48B5E6B2-9383-4B1E-AAE7-720C4779ABA6}\ = "IRegistrationUpdateHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{660130E8-74E4-4821-A6FD-4E9A86E06470}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\ = "IAppBundleWeb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852A0F87-D117-4B7C-ABA9-2F76D91BCB9D}\NumMethods\ = "24"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CFC4E00-1C9D-443D-B5BE-CEEEAC1443AF}\ProxyStubClsid32\ = "{7C76BB44-7096-4A8E-A57A-160ED2D47153}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4842EC21-0860-45B5-99F0-A1E6E7C11561}\ = "IAppCommand"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31
PID 2320 wrote to memory of 2340	2320	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\123\psmachine.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\123\psmachine.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.