81be6c2e3b7a9165c21e703075363af5f88dbb3c16f7cfcfe5d7b933e019827f

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f0c98c5bbfc5e5711970804aabc32b.exe
Size

77KB
MD5

03f0c98c5bbfc5e5711970804aabc32b
SHA1

5cf9a0351cef00ff8635e844beeefc8846089048
SHA256

81be6c2e3b7a9165c21e703075363af5f88dbb3c16f7cfcfe5d7b933e019827f
SHA512

45cd7c0b547aab13e252019f952cc506c16bf5adda759dbd46f81e1edf5c1476cadc1227db54975aa7076afafb7b60c93d56d708e1a248f65eeaa50e984c8418
SSDEEP

1536:jXD+WPyKpNb/FnToIfZtvv9UcoeB3HQeBvycnYtqr7oLyj:DhPyKpNb/tTBfZtvOQBYtqr7oLyj

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MediauCenterf\Parameters\ServiceDll = "C:\\Windows\\system32\\MSVCRTDzq3.dll"	03f0c98c5bbfc5e5711970804aabc32b.exe

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2608	03f0c98c5bbfc5e5711970804aabc32b.exe
2536	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSVCRTDzq3.dll	03f0c98c5bbfc5e5711970804aabc32b.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2608	03f0c98c5bbfc5e5711970804aabc32b.exe
2608	03f0c98c5bbfc5e5711970804aabc32b.exe
2608	03f0c98c5bbfc5e5711970804aabc32b.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2608	03f0c98c5bbfc5e5711970804aabc32b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2924	2608	03f0c98c5bbfc5e5711970804aabc32b.exe	32
PID 2608 wrote to memory of 2924	2608	03f0c98c5bbfc5e5711970804aabc32b.exe	32
PID 2608 wrote to memory of 2924	2608	03f0c98c5bbfc5e5711970804aabc32b.exe	32
PID 2608 wrote to memory of 2924	2608	03f0c98c5bbfc5e5711970804aabc32b.exe	32

C:\Users\Admin\AppData\Local\Temp\03f0c98c5bbfc5e5711970804aabc32b.exe
"C:\Users\Admin\AppData\Local\Temp\03f0c98c5bbfc5e5711970804aabc32b.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\03F0C9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:2792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\msvcrtdzq3.dll

Filesize
1.2MB

MD5
791aca9cc9795468dab889962e2d88ca

SHA1
4b87177223ed013b18ca6aa225423e96760a8e79

SHA256
ba57c7d02167fe1335531bb55c24444f13ea1d2aa6a62441897dc4aa42d4b882

SHA512
cbebf58fc3f8cafec823df609bb1aa8b7309732572f308f1870a9608ffe869e685f05b97efee9e1a8b8086da0b6f9bed31cfdcd71464d6ab979c3f143fec74f8

Download Submit
\Windows\SysWOW64\MSVCRTDzq3.dll

Filesize
30.2MB

MD5
dd9e6d54870e7d81cedcc9c32f184fd8

SHA1
21660802ec9550f461495570ee282d39f1cecac2

SHA256
9517fa5688cbb04947f55405c7de829b826365cefc059f29a1ea28f4751ab4dc

SHA512
196069efcf594faaf44cf37c2ed2806f7e77b81b9d44d6555f53fbf7c94957cf2a461e84aa504bbfc7c678d52be4b9d7ab6e9d5c3ccb9576910644c2da32c022

Download Submit
\Windows\SysWOW64\MSVCRTDzq3.dll

Filesize
1.2MB

MD5
36a773eb686554be4b76e9b40f8cceb3

SHA1
fdc614a774084c79cb5493efe12f5e89565c25a4

SHA256
46016838cb14f1daf4f096318281802f9e5bfdaf9c61471e95817f961c9b2859

SHA512
e676147659093e039379db64deb8ba9b56b95354baab753c5aa9f5d7a669500ccfee3a14be955f61448a14685452786070fd592ba298a273925b94431837552d

Download Submit
memory/2536-8-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2608-5-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download