Analysis
-
max time kernel
282s -
max time network
351s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:52
Static task
static1
Behavioral task
behavioral1
Sample
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
Resource
win10v2004-20221111-en
General
-
Target
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
-
Size
472KB
-
MD5
02f658a3f8402fe92a8479bd96fe882a
-
SHA1
46af34c41da90cb687b869bcefd48f772d625307
-
SHA256
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206
-
SHA512
5089abc8b665155854b2a91f3ef9b5186a3aa834fc0064c38e2403629f3ec0ce4730c9bfee57c33c622576f26acfd48022790dec847be05e07e73f963adf3945
-
SSDEEP
12288:TeWgbNNKD4dAdM7rro6XuLpQ82pkXcnNjPyI:T2nKDuAdMPvke82pkXEN7yI
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exepid process 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IusiCaqo = "regsvr32.exe \"C:\\ProgramData\\IusiCaqo\\IusiCaqo.dat\"" 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe -
Modifies registry class 2 IoCs
Processes:
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{3B4F1A92-2815-4EDB-B908-79B32A081237} 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{3B4F1A92-2815-4EDB-B908-79B32A081237}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c353631653730316130313631316535366361396536346635383164653838363431393030663938363835303066356464323334356166383536386630393230362e65786500 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exepid process 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exedescription pid process Token: SeCreateGlobalPrivilege 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe Token: SeDebugPrivilege 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exedescription pid process target process PID 4068 wrote to memory of 796 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe fontdrvhost.exe PID 4068 wrote to memory of 796 4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe fontdrvhost.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe"C:\Users\Admin\AppData\Local\Temp\561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\IusiCaqo\IusiCaqo.datFilesize
288KB
MD519b39e418c8742ae158b721731256adf
SHA1dce3263c96cf93460aa3959aaa5c88e73ec71091
SHA25671925978678f9878e2162a2d9ad867efee09b1cf7846f91e280d265fa1e528a4
SHA512b624eeef84879815808fbcf64d995bdb492d90d98568130a4243d914acc85e7ffba809b497d328b9655e0a06e319451831d0eab2a1f4f8964a90f7badcb7fc44
-
memory/4068-132-0x0000000000400000-0x00000000004FE000-memory.dmpFilesize
1016KB
-
memory/4068-133-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4068-135-0x0000000000400000-0x00000000004FE000-memory.dmpFilesize
1016KB
-
memory/4068-137-0x0000000010000000-0x000000001006F000-memory.dmpFilesize
444KB
-
memory/4068-138-0x0000000010000000-0x0000000010032000-memory.dmpFilesize
200KB