481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf

Analysis

max time kernel
224s
max time network
237s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe
Size

256KB
MD5

c1827e05559f7cba4418e242226ae57b
SHA1

988fde9d7945e097960f9eda22b7f7ce2a3d7cb6
SHA256

481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf
SHA512

bbdbe99a9f01eb4b58b875426b90c321d46ffe6f72f81e5a0e8d7032fcb23493c5174de03111769197062167b7edcdd4f4016cfd932e7303606fc27c5de238a1
SSDEEP

6144:1FKZfTZnvkGTkQjSpigSV8pafJMvayZ6snaVHWhZCsoSd:CV1qpigSV8c+xni8csoSd

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1912	caiba.exe
4068	caiba.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3260-132-0x0000000000400000-0x00000000004F7000-memory.dmp	upx
behavioral2/memory/3260-135-0x0000000000400000-0x00000000004F7000-memory.dmp	upx
behavioral2/memory/3260-139-0x0000000000400000-0x00000000004F7000-memory.dmp	upx
behavioral2/files/0x000a000000022dc9-142.dat	upx
behavioral2/files/0x000a000000022dc9-143.dat	upx
behavioral2/memory/1912-146-0x0000000000400000-0x00000000004F7000-memory.dmp	upx
behavioral2/files/0x000a000000022dc9-149.dat	upx
behavioral2/memory/1912-150-0x0000000000400000-0x00000000004F7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\Currentversion\Run	caiba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	caiba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sieqi = "C:\\Users\\Admin\\AppData\\Roaming\\Osge\\caiba.exe"	caiba.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 1912 set thread context of 4068	1912	caiba.exe	85

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe
4068	caiba.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe
Token: SeSecurityPrivilege	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe
1912	caiba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 3260 wrote to memory of 2800	3260	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	82
PID 2800 wrote to memory of 1912	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	83
PID 2800 wrote to memory of 1912	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	83
PID 2800 wrote to memory of 1912	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	83
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 1912 wrote to memory of 4068	1912	caiba.exe	85
PID 2800 wrote to memory of 3180	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	86
PID 2800 wrote to memory of 3180	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	86
PID 2800 wrote to memory of 3180	2800	481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe	86
PID 4068 wrote to memory of 2492	4068	caiba.exe	23
PID 4068 wrote to memory of 2492	4068	caiba.exe	23
PID 4068 wrote to memory of 2492	4068	caiba.exe	23
PID 4068 wrote to memory of 2492	4068	caiba.exe	23
PID 4068 wrote to memory of 2492	4068	caiba.exe	23
PID 4068 wrote to memory of 2516	4068	caiba.exe	60
PID 4068 wrote to memory of 2516	4068	caiba.exe	60
PID 4068 wrote to memory of 2516	4068	caiba.exe	60
PID 4068 wrote to memory of 2516	4068	caiba.exe	60
PID 4068 wrote to memory of 2516	4068	caiba.exe	60
PID 4068 wrote to memory of 2664	4068	caiba.exe	54
PID 4068 wrote to memory of 2664	4068	caiba.exe	54
PID 4068 wrote to memory of 2664	4068	caiba.exe	54
PID 4068 wrote to memory of 2664	4068	caiba.exe	54
PID 4068 wrote to memory of 2664	4068	caiba.exe	54
PID 4068 wrote to memory of 2808	4068	caiba.exe	52
PID 4068 wrote to memory of 2808	4068	caiba.exe	52
PID 4068 wrote to memory of 2808	4068	caiba.exe	52
PID 4068 wrote to memory of 2808	4068	caiba.exe	52
PID 4068 wrote to memory of 2808	4068	caiba.exe	52
PID 4068 wrote to memory of 3084	4068	caiba.exe	51
PID 4068 wrote to memory of 3084	4068	caiba.exe	51
PID 4068 wrote to memory of 3084	4068	caiba.exe	51
PID 4068 wrote to memory of 3084	4068	caiba.exe	51
PID 4068 wrote to memory of 3084	4068	caiba.exe	51
PID 4068 wrote to memory of 3272	4068	caiba.exe	50
PID 4068 wrote to memory of 3272	4068	caiba.exe	50
PID 4068 wrote to memory of 3272	4068	caiba.exe	50
PID 4068 wrote to memory of 3272	4068	caiba.exe	50
PID 4068 wrote to memory of 3272	4068	caiba.exe	50
PID 4068 wrote to memory of 3380	4068	caiba.exe	49
PID 4068 wrote to memory of 3380	4068	caiba.exe	49
PID 4068 wrote to memory of 3380	4068	caiba.exe	49
PID 4068 wrote to memory of 3380	4068	caiba.exe	49
PID 4068 wrote to memory of 3380	4068	caiba.exe	49
PID 4068 wrote to memory of 3444	4068	caiba.exe	27
PID 4068 wrote to memory of 3444	4068	caiba.exe	27
PID 4068 wrote to memory of 3444	4068	caiba.exe	27
PID 4068 wrote to memory of 3444	4068	caiba.exe	27
PID 4068 wrote to memory of 3444	4068	caiba.exe	27
PID 4068 wrote to memory of 3528	4068	caiba.exe	48
PID 4068 wrote to memory of 3528	4068	caiba.exe	48

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3084

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe
  "C:\Users\Admin\AppData\Local\Temp\481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe
    "C:\Users\Admin\AppData\Local\Temp\481dbe8692a1bc0356c5f4fb000f53df43595aa3b0d7a1ccfe69c1f5b5495ecf.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Roaming\Osge\caiba.exe
      "C:\Users\Admin\AppData\Roaming\Osge\caiba.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Users\Admin\AppData\Roaming\Osge\caiba.exe
        
        "C:\Users\Admin\AppData\Roaming\Osge\caiba.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd91c85c6.bat"
      4⤵
      PID:3180

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2516

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3096

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4244

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4112

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd91c85c6.bat

Filesize
307B

MD5
4b60cae089f43a6277a779eb436a5250

SHA1
ab61795f889f3f57e0b55b3ec6dc15e3c4410377

SHA256
f0aeaa7142c1512838f3ade775b7bdcfb0edceeb83e99e5beeb04036ea33252e

SHA512
be77acc8b5e3a5ecda0e8dbef81c8b7eb1303620c7f265b5b704e5b43122d40ac2a993efa79991916f9a03bf78d123b626edd33488a1c9f8109cd28e8a9d458b

Download Submit
C:\Users\Admin\AppData\Roaming\Osge\caiba.exe

Filesize
256KB

MD5
ca4de3ec8035a7d4bb195c6b0896931b

SHA1
8f4a08d7aeb457140052095082ecd714a9f9821e

SHA256
6dbd70937dd7604f3ed653d99a93021f010a8c068fcd44d15f0e56b061b88ab4

SHA512
465e5e123d86fd6d2124dca129e66f856d017c02e6c96133ff4a6162c90e27c061955f72baf648a681d43274564e4505a8b32135b4bfc63f0afaef6bf77487f1

Download Submit
C:\Users\Admin\AppData\Roaming\Osge\caiba.exe

Filesize
256KB

MD5
ca4de3ec8035a7d4bb195c6b0896931b

SHA1
8f4a08d7aeb457140052095082ecd714a9f9821e

SHA256
6dbd70937dd7604f3ed653d99a93021f010a8c068fcd44d15f0e56b061b88ab4

SHA512
465e5e123d86fd6d2124dca129e66f856d017c02e6c96133ff4a6162c90e27c061955f72baf648a681d43274564e4505a8b32135b4bfc63f0afaef6bf77487f1

Download Submit
C:\Users\Admin\AppData\Roaming\Osge\caiba.exe

Filesize
256KB

MD5
ca4de3ec8035a7d4bb195c6b0896931b

SHA1
8f4a08d7aeb457140052095082ecd714a9f9821e

SHA256
6dbd70937dd7604f3ed653d99a93021f010a8c068fcd44d15f0e56b061b88ab4

SHA512
465e5e123d86fd6d2124dca129e66f856d017c02e6c96133ff4a6162c90e27c061955f72baf648a681d43274564e4505a8b32135b4bfc63f0afaef6bf77487f1

Download Submit
memory/1912-150-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1912-146-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2800-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3260-139-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3260-132-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3260-135-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4068-154-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download