b51105615d31ef7388b9ffbf670133cb173d1e7a7100bfef0b93e2b6e58b9142

Analysis

max time kernel
193s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Team Tools/Dynamic Code Coverage Tools/amd64/msdia110.dll
Size

1.0MB
MD5

24ac8872b2ce510e3b615e3a50059fdb
SHA1

d06915c57a24b2bc6f806b3d9b944742b9f161af
SHA256

1d5d4a3c0d149966835e3832ccf16bacdc0b4fa799e4cfab0c7852ead59e9d24
SHA512

9b62c352eac4fb1317fd1d6390c99bf88a64700651b9c37d95482a41f02c36bc587ff14bdef8223a1b1f178539e7bffd928da60de7a6b982e3831cb17e7b93de
SSDEEP

12288:agyupQeL8wx8XhiaMQUjEAdwATQessvmp5ukkgr5yeYcc5eFN1pxxVwHBNiERA:agyuGMzjEAdwAUpBkJeY15k1VwHBNiD

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 26 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC259D4D-398E-4CFF-84FD-5F44DC9DE367}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Team Tools\\Dynamic Code Coverage Tools\\amd64\\msdia110.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Team Tools\\Dynamic Code Coverage Tools\\amd64"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC259D4D-398E-4CFF-84FD-5F44DC9DE367}\ = "Generic StackWalker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761D3BCD-1304-41D5-94E8-EAC54E4AC172}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761D3BCD-1304-41D5-94E8-EAC54E4AC172}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC259D4D-398E-4CFF-84FD-5F44DC9DE367}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Team Tools\\Dynamic Code Coverage Tools\\amd64\\msdia110.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D793FB46-820A-48E5-9599-6E4C3B3FB370}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D793FB46-820A-48E5-9599-6E4C3B3FB370}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D793FB46-820A-48E5-9599-6E4C3B3FB370}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Team Tools\\Dynamic Code Coverage Tools\\amd64\\msdia110.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC259D4D-398E-4CFF-84FD-5F44DC9DE367}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC259D4D-398E-4CFF-84FD-5F44DC9DE367}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761D3BCD-1304-41D5-94E8-EAC54E4AC172}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761D3BCD-1304-41D5-94E8-EAC54E4AC172}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Team Tools\\Dynamic Code Coverage Tools\\amd64\\msdia110.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D793FB46-820A-48E5-9599-6E4C3B3FB370}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761D3BCD-1304-41D5-94E8-EAC54E4AC172}\ = "Debug Information Accessor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D793FB46-820A-48E5-9599-6E4C3B3FB370}\ = "Debug Information Accessor w/o Global Memory Usage"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\Team Tools\Dynamic Code Coverage Tools\amd64\msdia110.dll"
1⤵
- Modifies registry class
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads