561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206

Analysis

max time kernel
282s
max time network
351s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
Size

472KB
MD5

02f658a3f8402fe92a8479bd96fe882a
SHA1

46af34c41da90cb687b869bcefd48f772d625307
SHA256

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206
SHA512

5089abc8b665155854b2a91f3ef9b5186a3aa834fc0064c38e2403629f3ec0ce4730c9bfee57c33c622576f26acfd48022790dec847be05e07e73f963adf3945
SSDEEP

12288:TeWgbNNKD4dAdM7rro6XuLpQ82pkXcnNjPyI:T2nKDuAdMPvke82pkXEN7yI

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

pid process

4068 561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IusiCaqo = "regsvr32.exe \"C:\\ProgramData\\IusiCaqo\\IusiCaqo.dat\""	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

Modifies registry class 2 IoCs

Processes:

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{3B4F1A92-2815-4EDB-B908-79B32A081237}	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{3B4F1A92-2815-4EDB-B908-79B32A081237}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c353631653730316130313631316535366361396536346635383164653838363431393030663938363835303066356464323334356166383536386630393230362e65786500	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

pid	process
4068	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
4068	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

description	pid	process
Token: SeCreateGlobalPrivilege	4068	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
Token: SeDebugPrivilege	4068	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe

description	pid	process	target process
PID 4068 wrote to memory of 796	4068	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe	fontdrvhost.exe
PID 4068 wrote to memory of 796	4068	561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe	fontdrvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe
"C:\Users\Admin\AppData\Local\Temp\561e701a01611e56ca9e64f581de88641900f9868500f5dd2345af8568f09206.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IusiCaqo\IusiCaqo.dat
Filesize
288KB

MD5
19b39e418c8742ae158b721731256adf

SHA1
dce3263c96cf93460aa3959aaa5c88e73ec71091

SHA256
71925978678f9878e2162a2d9ad867efee09b1cf7846f91e280d265fa1e528a4

SHA512
b624eeef84879815808fbcf64d995bdb492d90d98568130a4243d914acc85e7ffba809b497d328b9655e0a06e319451831d0eab2a1f4f8964a90f7badcb7fc44

Download Submit
memory/4068-132-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4068-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4068-135-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/4068-137-0x0000000010000000-0x000000001006F000-memory.dmp

Filesize
444KB

Download
memory/4068-138-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download