3ef3ddd77689ee2cac851f35a4db6f61bb8d1d5a869fb89a891f7b47ddd5dfea

Analysis

max time kernel
155s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 18:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dfca4b4c03eef84f140a555049f253b5.dll
Size

230KB
MD5

dfca4b4c03eef84f140a555049f253b5
SHA1

635b6afd000829ab80ab82e9f4f77abf4d023f16
SHA256

3ef3ddd77689ee2cac851f35a4db6f61bb8d1d5a869fb89a891f7b47ddd5dfea
SHA512

bf92ffd256c48f4e9d23d250152be0ba469f8d956d9cdac47a2c5bb1ac8b787f17f2bf27c245f18a208df8dfcd60d3ec91be3eb7c41f5886094c2578ee51aa09
SSDEEP

6144:5PISNDkrK1IK3hEnkDUxc2CIoc5DsB45z:5PISNA8R/gxcBc5DsB45z

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dfca4b4c03eef84f140a555049f253b5\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfca4b4c03eef84f140a555049f253b5.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeBackupPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2496	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27
PID 2080 wrote to memory of 812	2080	regsvr32.exe	27

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dfca4b4c03eef84f140a555049f253b5.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\dfca4b4c03eef84f140a555049f253b5.dll
  2⤵
  - Sets DLL path for service in the registry
  PID:812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k dfca4b4c03eef84f140a555049f253b5
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads