Regsvr32 DLL Execution With Suspicious File Extension

 1title: Regsvr32 DLL Execution With Suspicious File Extension
 2id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
 3related:
 4    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
 5      type: obsoletes
 6status: test
 7description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
 8references:
 9    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
10    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
11    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348
12author: Florian Roth (Nextron Systems), frack113
13date: 2021/11/29
14modified: 2023/05/24
15tags:
16    - attack.defense_evasion
17    - attack.t1218.010
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\regsvr32.exe'
24        - OriginalFileName: 'REGSVR32.EXE'
25    selection_cli:
26        CommandLine|endswith:
27            # Add more image extensions
28            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
29            - '.bin'
30            - '.bmp'
31            - '.cr2'
32            - '.dat'
33            - '.eps'
34            - '.gif'
35            - '.ico'
36            - '.jpeg'
37            - '.jpg'
38            - '.nef'
39            - '.orf'
40            - '.png'
41            - '.raw'
42            - '.sr2'
43            - '.temp'
44            - '.tif'
45            - '.tiff'
46            - '.tmp'
47            - '.rtf'
48            - '.txt'
49    condition: all of selection_*
50falsepositives:
51    - Unlikely
52level: high

References

• CONTInuing the Bazar Ransomware Story

  

  In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti ransomware.

  
  Read More

• Threat hunting in large datasets by clustering security events

  

  By Tiago Pereira. * Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. * Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. * This post walks through threat hunting on large datasets by

  
  Read More

• Research Guides: All About Images: Image File Formats

  

  Focuses on many common image questions in regards to image resolutions, resizing images, file types, vector and raster images, scanning, saving and more. Overview of common image files such as JPG, GIF, and TIFF.

  
  Read More

Related rules

• Potentially Suspicious Child Process Of Regsvr32
• Potentially Suspicious Regsvr32 HTTP IP Pattern
• Potentially Suspicious Regsvr32 HTTP/FTP Pattern
• Regsvr32 Execution From Highly Suspicious Location
• Regsvr32 Execution From Potential Suspicious Location