81be6c2e3b7a9165c21e703075363af5f88dbb3c16f7cfcfe5d7b933e019827f

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03f0c98c5bbfc5e5711970804aabc32b.exe
Size

77KB
MD5

03f0c98c5bbfc5e5711970804aabc32b
SHA1

5cf9a0351cef00ff8635e844beeefc8846089048
SHA256

81be6c2e3b7a9165c21e703075363af5f88dbb3c16f7cfcfe5d7b933e019827f
SHA512

45cd7c0b547aab13e252019f952cc506c16bf5adda759dbd46f81e1edf5c1476cadc1227db54975aa7076afafb7b60c93d56d708e1a248f65eeaa50e984c8418
SSDEEP

1536:jXD+WPyKpNb/FnToIfZtvv9UcoeB3HQeBvycnYtqr7oLyj:DhPyKpNb/tTBfZtvOQBYtqr7oLyj

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MediauCenterf\Parameters\ServiceDll = "C:\\Windows\\system32\\MSVCRTDjs3.dll"	03f0c98c5bbfc5e5711970804aabc32b.exe

Loads dropped DLL 2 IoCs

pid	Process
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
2068	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSVCRTDjs3.dll	03f0c98c5bbfc5e5711970804aabc32b.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
2068	svchost.exe
2068	svchost.exe
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
1272	03f0c98c5bbfc5e5711970804aabc32b.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe
2068	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1272	03f0c98c5bbfc5e5711970804aabc32b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4072	1272	03f0c98c5bbfc5e5711970804aabc32b.exe	93
PID 1272 wrote to memory of 4072	1272	03f0c98c5bbfc5e5711970804aabc32b.exe	93
PID 1272 wrote to memory of 4072	1272	03f0c98c5bbfc5e5711970804aabc32b.exe	93

C:\Users\Admin\AppData\Local\Temp\03f0c98c5bbfc5e5711970804aabc32b.exe
"C:\Users\Admin\AppData\Local\Temp\03f0c98c5bbfc5e5711970804aabc32b.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\03F0C9~1.EXE > nul
  2⤵
  PID:4072

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
PID:2252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSVCRTDjs3.dll

Filesize
4.5MB

MD5
26fab7e665bfb10c22b0caad0829b4e0

SHA1
4d1475d80256d9732e33b6086801de9f72440b1a

SHA256
80fe2fe3b6bb4520c7740089a14473cdf4a00673116066a1fd0c3cc73ef861ae

SHA512
c0af644d028b876b62c86037d49699ffaceb6664fa0ed88197da708a690852d75501a2675ed0092ae766ad70512f51b8e45551eed3f95f83acd60da1e3a83c55

Download Submit
C:\Windows\SysWOW64\MSVCRTDjs3.dll

Filesize
8.8MB

MD5
a4106c3feb14dd3462c3907f379e8a8c

SHA1
881750667821b4c1eeee40f9766741f264f50b4f

SHA256
03b027f9c0a2d7d2139c1be3c23c6ae3b3a800a9abe615aa8cebf00f1551b5ed

SHA512
3322adf6f4dd93d3e98b7870e8d72b0ad92554e65185133066ae3c4812a58d0cd7562bc14eb4db990f8fbce112fc76dae3bab1ee6afe1818fa2fdecd3b8990b6

Download Submit
C:\Windows\SysWOW64\MSVCRTDjs3.dll

Filesize
8.4MB

MD5
c8e0208a8c5d254597dd42a170b72836

SHA1
380841325dafb68623238304ca3b31410ed5495d

SHA256
b88335b7d0b5287c2dfc5b41685877832315190a9168ca004368b405eaf866d0

SHA512
3e90919ffec00f76ee6c41ae3bede7c737b13413e4b6a6135e33ed9e430cfe8a48d8447b859107278b8aa5fe0fa37fe420ad77c09f2410ddcaccd4b03ad10ce7

Download Submit
\??\c:\windows\SysWOW64\msvcrtdjs3.dll

Filesize
10.0MB

MD5
94d0be17a3811de1634d94f06f5b7fa8

SHA1
8632629773a06b198fa66f7099e3c153b4b4ad5f

SHA256
9228c45448abdbbd1d7430e28c821668d58177ae1b7737b7e006f364770c0ff4

SHA512
4142738811fbf59b68aa252dca16e9da08b0b192d082b580fcdb9732da3c02063eee3aee7863bc41ce20e002f89af12557205f1e6e9946201b9130d672ca47c2

Download Submit
memory/1272-6-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2068-9-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download