Overview
overview
10Static
static
3__x64___se...nv.dll
windows10-2004-x64
1__x64___se...or.dll
windows10-2004-x64
1__x64___se...vc.dll
windows10-2004-x64
1__x64___se...df.dll
windows10-2004-x64
1__x64___se...nc.dll
windows10-2004-x64
1__x64___se...tr.dll
windows10-2004-x64
1__x64___se...el.dll
windows10-2004-x64
1__x64___se...lg.dll
windows10-2004-x64
1__x64___se...ab.dll
windows10-2004-x64
1__x64___se...rf.dll
windows10-2004-x64
1__x64___se...on.dll
windows10-2004-x64
1__x64___se...al.dll
windows10-2004-x64
1__x64___se...SM.dll
windows10-2004-x64
1__x64___se...ms.dll
windows10-2004-x64
1__x64___se...20.dll
windows7-x64
1__x64___se...20.dll
windows10-2004-x64
1__x64___se...un.dll
windows10-2004-x64
7__x64___se...up.msi
windows7-x64
6__x64___se...up.msi
windows10-2004-x64
10__x64___se...ph.dll
windows10-2004-x64
1__x64___se...rs.dll
windows10-2004-x64
1__x64___se...rv.dll
windows10-2004-x64
1__x64___se...re.dll
windows10-2004-x64
1Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:18
Static task
static1
Behavioral task
behavioral1
Sample
__x64___setup___x32__/SettingMonitor/SessEnv.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
__x64___setup___x32__/SettingMonitor/SettingMonitor.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
__x64___setup___x32__/SettingMonitor/pnrpsvc.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
__x64___setup___x32__/SettingMonitor/uudf.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
__x64___setup___x32__/SettingSync/SettingSync.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
__x64___setup___x32__/SettingSync/rasmontr.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
__x64___setup___x32__/SettingSync/schannel.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
__x64___setup___x32__/SettingSync/sppcommdlg.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
__x64___setup___x32__/dab/dab.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
__x64___setup___x32__/dab/diagperf.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
__x64___setup___x32__/dab/fcon.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
__x64___setup___x32__/dab/hal.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
__x64___setup___x32__/mscms/NPSM.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
__x64___setup___x32__/mscms/mscms.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
__x64___setup___x32__/mscms/msvcp120.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
__x64___setup___x32__/mscms/msvcp120.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
__x64___setup___x32__/mscms/scrrun.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
__x64___setup___x32__/setup.msi
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral19
Sample
__x64___setup___x32__/setup.msi
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
__x64___setup___x32__/vmrdvcore/mssph.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
__x64___setup___x32__/vmrdvcore/perfctrs.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
__x64___setup___x32__/vmrdvcore/tapisrv.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
__x64___setup___x32__/vmrdvcore/vmrdvcore.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
__x64___setup___x32__/mscms/scrrun.dll
-
Size
223KB
-
MD5
8a6d4a4e788d30298a8885aaa5ef5e50
-
SHA1
33dd8d769e42690b6d12e2deb744ec63d4170429
-
SHA256
40c371fab5d3b36a2b15062ccd9deb088ac2aae4a52cd61c48671d3671fe8b23
-
SHA512
726f198c2d7477dce478cb16578206fbcbd95b57c67547baab0d8d7f82334f724199bbd2a1546b7b8e29d95d6cd3ad8683e32c08b6c46e3853247e3db1cdcf57
-
SSDEEP
3072:RLyWTrOJHy/LyLVCtndbijmQHw/vfQi18eXUMS1049WRjCy24eM68Pm:RLyWTrF+LVmdijy18JJSO54eM
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 64 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cdx regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.htm regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asa regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\ = "Scripting.Dictionary" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.html regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib regsvr32.exe