091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
Size

306KB
MD5

dd5ab841169a83dcec8721d49a459cfc
SHA1

2360ae888d3fbdb9ec4e3b655c9954c223d16e1a
SHA256

091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc
SHA512

ce8dbf8b8fc5d5e95a5ba2cea3d43ab76cfab5fce660f819e48d6a88bd95cb484543ca7ef6edd396e088db27796fe6ebaac57c6a02a3ca0ce795b911f1110942
SSDEEP

6144:2PpU5axokHu/7pII+zgYqeVM6cb+b02/GiGbf413PS+NqXAaImv:UpU6okHuNItzbO1b00xiXc5XAaJ

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 18 IoCs

flow	pid	Process
8	1864	rundll32.exe
10	1864	rundll32.exe
12	1864	rundll32.exe
14	1864	rundll32.exe
16	1864	rundll32.exe
18	1864	rundll32.exe
20	1864	rundll32.exe
21	1864	rundll32.exe
23	1864	rundll32.exe
25	1864	rundll32.exe
27	1864	rundll32.exe
30	1864	rundll32.exe
32	1864	rundll32.exe
33	1864	rundll32.exe
35	1864	rundll32.exe
36	1864	rundll32.exe
37	1864	rundll32.exe
38	1864	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
892	file.exe
1740	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
1724	caycwq.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-78-0x0000000010000000-0x0000000010031000-memory.dmp	upx
behavioral1/memory/1740-81-0x0000000010000000-0x0000000010031000-memory.dmp	upx
behavioral1/memory/1740-80-0x0000000010000000-0x0000000010031000-memory.dmp	upx
behavioral1/memory/1724-90-0x0000000010000000-0x0000000010031000-memory.dmp	upx
behavioral1/memory/1724-91-0x0000000010000000-0x0000000010031000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1108	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1108	cmd.exe
1108	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\caycwq.exe	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
File opened for modification	C:\Windows\caycwq.exe	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications	caycwq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\myserver	caycwq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\myserver\Settings	caycwq.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	caycwq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1740	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1740	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
1740	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
1724	caycwq.exe
1724	caycwq.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1108	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	27
PID 1324 wrote to memory of 1108	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	27
PID 1324 wrote to memory of 1108	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	27
PID 1324 wrote to memory of 1108	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	27
PID 1324 wrote to memory of 892	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	29
PID 1324 wrote to memory of 892	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	29
PID 1324 wrote to memory of 892	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	29
PID 1324 wrote to memory of 892	1324	091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe	29
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1864	892	file.exe	30
PID 892 wrote to memory of 1112	892	file.exe	31
PID 892 wrote to memory of 1112	892	file.exe	31
PID 892 wrote to memory of 1112	892	file.exe	31
PID 892 wrote to memory of 1112	892	file.exe	31
PID 1108 wrote to memory of 1740	1108	cmd.exe	33
PID 1108 wrote to memory of 1740	1108	cmd.exe	33
PID 1108 wrote to memory of 1740	1108	cmd.exe	33
PID 1108 wrote to memory of 1740	1108	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
"C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_ms0234.bat" "C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe""
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe
    "C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1740
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\51FB.dll",ADB_Release
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Modifies system certificate store
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7BF7.bat" "
    3⤵
    PID:1112

C:\Windows\caycwq.exe
C:\Windows\caycwq.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\51FB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BF7.bat

Filesize
139B

MD5
7e2eb4dfbe1aa05ce7130b4fcd99ddf6

SHA1
22c922799c8bbc49acf910ad64ab88f74afb3848

SHA256
ef0c582df9774c062edce1615624d4d989a267d6847623f48d264f0b2a9e2426

SHA512
f9a543ea23b0fb54beddb9ea315c993fedcaa141638088e21abf5aa56b42fe633457424fc8ed123edcccb9fa91a07bcf0cbcb4aacd4e126a281ca547840d331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0234.bat

Filesize
220B

MD5
7d0e9b467cc07c21ccadd48b540875e3

SHA1
51b1d1f4cb374fa85c21d3b7e157543d6b2afdd9

SHA256
8e14114adf13523ee772920bdd04698266208acb370a5b8e817b0213c69add01

SHA512
df08da338aac0327879bc100b61f3747de76079cace6dbca11325bb873bc7ec94dff6dd9f834d9759dbcff959f4900ff70ae143f793b806829d66c2345a215a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe.org

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
C:\Windows\caycwq.exe

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
C:\Windows\caycwq.exe

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
\Users\Admin\AppData\Local\Temp\091ff4e606326d533595650b725d004b092fe5e0d545bad9a9ce319e567e95bc.exe

Filesize
104KB

MD5
303c7febc26cd4cfd8d9bd7cd17e124a

SHA1
4c55801b0ad6a96aa90125f6cf76e915df958dd8

SHA256
ce5025fa4a19fb2c1f1b9c37bcb8115e9e78c98240ade89f1cad5c0738f9dd59

SHA512
b6244722b314c9f18115a38f30be1226dc2ac01d77d326e71997eb0345110bf03a44193453c84d2332ce697575f6862562345d89697006419aeeffd187f809c0

Download Submit
\Users\Admin\AppData\Local\Temp\51FB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\51FB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\51FB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\51FB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1724-90-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1724-91-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1740-78-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1740-80-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/1740-81-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download