Overview
overview
10Static
static
3TapiSyspre...ep.dll
windows11-21h2-x64
1TapiSyspre...fm.dll
windows11-21h2-x64
1TapiSyspre...sh.dll
windows11-21h2-x64
1TapiSyspre...is.dll
windows11-21h2-x64
1acledit/Bl...is.dll
windows11-21h2-x64
1acledit/De...er.dll
windows11-21h2-x64
1acledit/acledit.dll
windows11-21h2-x64
1acledit/printui.dll
windows11-21h2-x64
1dsreg/dcntel.dll
windows11-21h2-x64
1dsreg/dsound.dll
windows11-21h2-x64
1dsreg/dsreg.dll
windows11-21h2-x64
1dsreg/sensrsvc.dll
windows11-21h2-x64
1pcwum/AppxSip.dll
windows11-21h2-x64
8pcwum/asferror.dll
windows11-21h2-x64
1pcwum/pcwum.dll
windows11-21h2-x64
1pcwum/pdhui.dll
windows11-21h2-x64
1setup.msi
windows11-21h2-x64
10wcimage/SEMgrPS.dll
windows11-21h2-x64
1wcimage/Se...pi.dll
windows11-21h2-x64
1wcimage/ne...vc.dll
windows11-21h2-x64
1wcimage/wcimage.dll
windows11-21h2-x64
1Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-06-2024 13:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
TapiSysprep/TapiSysprep.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
TapiSysprep/netprofm.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
TapiSysprep/rpcnsh.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
TapiSysprep/socialapis.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
acledit/BluetoothApis.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
acledit/DevDispItemProvider.dll
Resource
win11-20240419-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
acledit/acledit.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
acledit/printui.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
dsreg/dcntel.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
dsreg/dsound.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
dsreg/dsreg.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
dsreg/sensrsvc.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral13
Sample
pcwum/AppxSip.dll
Resource
win11-20240508-en
windows11-21h2-x64
1 signatures
150 seconds
Behavioral task
behavioral14
Sample
pcwum/asferror.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
pcwum/pcwum.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
pcwum/pdhui.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
setup.msi
Resource
win11-20240611-en
windows11-21h2-x64
15 signatures
150 seconds
Behavioral task
behavioral18
Sample
wcimage/SEMgrPS.dll
Resource
win11-20240611-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral19
Sample
wcimage/SensorsApi.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral20
Sample
wcimage/netprofmsvc.dll
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
Behavioral task
behavioral21
Sample
wcimage/wcimage.dll
Resource
win11-20240419-en
windows11-21h2-x64
0 signatures
150 seconds
General
-
Target
pcwum/AppxSip.dll
-
Size
268KB
-
MD5
577dbb84e03e995d507840258c52913f
-
SHA1
cb1d426d26a3e966d29a6a28f94ed5273c21d759
-
SHA256
c8ed0608c107745d56fcdf34cac855602c65dc1a612c173f4057cbd30fbf2058
-
SHA512
90263941720d4498cfe588ecc7c713f04ce2431722b918859c555041be1823ace5163306c3e273e92fde0d472b3bb494acc37b26982a269116b64ed13aa396cf
-
SSDEEP
6144:cTXUiOy2C35UKI+EqJNLo/AKjJIcLIT9mAD:cTkFy2aI+FLSHjJIcsR
Score
8/10
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 60 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "EappxBundleSipGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "EappxSipPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "EappxSipVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "AppxSipCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "AppxBundleSipCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "AppxSipVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "AppxBundleSipGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "EappxSipGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "AppxSipIsFileSupportedName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "AppxBundleSipPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "EappxBundleSipVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "P7xSipGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "P7xSipIsFileSupportedName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "AppxSipRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "P7xSipVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "EappxBundleSipRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "EappxBundleSipCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "EappxBundleSipIsFileSupportedName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "AppxBundleSipIsFileSupportedName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "EappxSipCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "AppxBundleSipRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "EappxSipRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "AppxSipPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "P7xSipCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "AppxBundleSipVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "EappxBundleSipPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "AppxSip.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "EappxSipIsFileSupportedName" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "AppxSipGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "P7xSipPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "P7xSipRemoveSignedDataMsg" regsvr32.exe