03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255

Analysis

max time kernel
22s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll
Size

400KB
MD5

4c4560da5b64cecdbbc7c1b7734e3000
SHA1

66c5ac4a5e9a6907b934bbf30d6e99c2a36d3e42
SHA256

03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255
SHA512

1abb2fd04c52ea925bccdcf38bfe439bf10e62c31fa7415d27288f88752e3c69433558891770bb2589f434fa7764e3c8c2f79845555f298d584fb4822dbbee04
SSDEEP

12288:2uiW+x87s5lXl2yU36PUVFp7Ws8WGYUAsw:biW3gNLU2Uss8

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1124	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QezcoDicgo = "regsvr32.exe \"C:\\ProgramData\\QezcoDicgo\\ZisnAlitt.upt\""	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1124	regsvr32.exe
1124	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1124	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1124	regsvr32.exe
Token: SeDebugPrivilege	1124	regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4192	2200	rundll32.exe	81
PID 2200 wrote to memory of 4192	2200	rundll32.exe	81
PID 2200 wrote to memory of 4192	2200	rundll32.exe	81
PID 4192 wrote to memory of 1124	4192	rundll32.exe	82
PID 4192 wrote to memory of 1124	4192	rundll32.exe	82
PID 4192 wrote to memory of 1124	4192	rundll32.exe	82
PID 1124 wrote to memory of 784	1124	regsvr32.exe	9
PID 1124 wrote to memory of 784	1124	regsvr32.exe	9

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\\~0E56E8AF.tmp"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~0E56E8AF.tmp

Filesize
281KB

MD5
5fc0a35bb3de5e0a86ca37f6770cd002

SHA1
0b2e889a1df3c5264c129c8a062321dcfa34fcce

SHA256
6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

SHA512
21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E56E8AF.tmp

Filesize
281KB

MD5
5fc0a35bb3de5e0a86ca37f6770cd002

SHA1
0b2e889a1df3c5264c129c8a062321dcfa34fcce

SHA256
6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

SHA512
21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

Download Submit
memory/1124-141-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/4192-133-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download
memory/4192-137-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download