c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475

Analysis

max time kernel
20s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
Size

538KB
MD5

8bf1a7c0b986753dc55ac591fd87502e
SHA1

74cf75aedaf4d8318639a554cb0f49b3e90eb585
SHA256

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475
SHA512

8aab9a9cf7cdb7981e8d9be1ee10b079f4e1637d91adef41f6a28a357ba268ce1f751fd0e1ca3b3c87e61a8ca9f5d660321513e90b0d520b70fec2d6b0e15ff9
SSDEEP

6144:+nk0yCBGRVvMBRDojcGncLgeVT92ZcsAxSHsaiHDbAB3i:sBy4GROoAL5VT9ycs1OG3

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

pid process

5044 c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuxeJravn = "regsvr32.exe \"C:\\ProgramData\\QuxeJravn\\QuxeJravn.dat\""	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

Modifies registry class 2 IoCs

Processes:

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{534C204D-5121-4B0B-BC49-5F1418DA23F6}	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{534C204D-5121-4B0B-BC49-5F1418DA23F6}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c633734333534316433663362343764613762393531303439303462613336343266646465343732383733666464666435396136376365346665303063393437352e65786500	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

pid	process
5044	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
5044	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

description	pid	process
Token: SeCreateGlobalPrivilege	5044	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
Token: SeDebugPrivilege	5044	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe

description	pid	process	target process
PID 5044 wrote to memory of 776	5044	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe	fontdrvhost.exe
PID 5044 wrote to memory of 776	5044	c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe	fontdrvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe
"C:\Users\Admin\AppData\Local\Temp\c743541d3f3b47da7b95104904ba3642fdde472873fddfd59a67ce4fe00c9475.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QuxeJravn\QuxeJravn.dat
Filesize
264KB

MD5
687985564e3083815d0f80e652f8d045

SHA1
9e292e5ff1b6454ae048b2e0690412fb1d216ab6

SHA256
dda3060ddafaa8c1778d3b92a92c7fc6e39b373590b0693885a6d16709d13beb

SHA512
cdb3a9083097b4989fdce468e2ba672b1727d9e36a2db1005e6c712331918600cfa17e44d514bf16d98493cfd82714187575f09aab1b5f185d6654f0460c3153

Download Submit
memory/5044-132-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/5044-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-136-0x00000000745B0000-0x00000000745E3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads