d22f7d73778ef7a9421c94e25ee930f834f00f1f312c118b7c336ea5b6a215b1

Analysis

max time kernel
134s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF߱Ѫٷµͼ͸_se.exe
Size

2.0MB
MD5

1a163ebbf2a240dd8d14e428ccb8583e
SHA1

5a7166d8d93c5d30fa5cc07a4934716dedacd376
SHA256

09b1d389f22f1f4ad96eef137a8dca0d337bc906732ae0e3877fdcea17b4ea25
SHA512

b1553f637da1187411f9e27fc46f98b3ae6866846b655e9d80ace6a8a661183fdb82e1568805ef6c08ec7ac34c8f635e9ff7706f55985d4bbad5b47b7575871e
SSDEEP

49152:6V/Rwt6wwRI2RxKmITTnsStgCX/TeUqXCQxRWo48E:6NRwt6wUy/nsStg2/ytWo48E

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ctbow.exe

pid process

1496 ctbow.exe
Loads dropped DLL 2 IoCs

Processes:

CF߱Ѫٷµͼ͸_se.exe

pid process

832 CF߱Ѫٷµͼ͸_se.exe
832 CF߱Ѫٷµͼ͸_se.exe

pid	process
1496	ctbow.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CF߱Ѫٷµͼ͸_se.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÎÒµÄÆô¶¯Ïî = "C:\\Windows\\system32\\/ctbow.exe"	CF߱Ѫٷµͼ͸_se.exe

Drops file in System32 directory 1 IoCs

Processes:

CF߱Ѫٷµͼ͸_se.exe

description ioc process

File created C:\Windows\SysWOW64\ctbow.exe CF߱Ѫٷµͼ͸_se.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ctbow.exe	CF߱Ѫٷµͼ͸_se.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

CF߱Ѫٷµͼ͸_se.exe

pid	process
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

CF߱Ѫٷµͼ͸_se.exectbow.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	CF߱Ѫٷµͼ͸_se.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	ctbow.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

CF߱Ѫٷµͼ͸_se.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.2345.com/?keyybc"	CF߱Ѫٷµͼ͸_se.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ctbow.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ctbow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ctbow.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CF߱Ѫٷµͼ͸_se.exe

pid process

832 CF߱Ѫٷµͼ͸_se.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

CF߱Ѫٷµͼ͸_se.exectbow.exe

pid	process
832	CF߱Ѫٷµͼ͸_se.exe
832	CF߱Ѫٷµͼ͸_se.exe
1496	ctbow.exe
1496	ctbow.exe
1496	ctbow.exe
1496	ctbow.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

CF߱Ѫٷµͼ͸_se.exe

description	pid	process	target process
PID 832 wrote to memory of 1496	832	CF߱Ѫٷµͼ͸_se.exe	ctbow.exe
PID 832 wrote to memory of 1496	832	CF߱Ѫٷµͼ͸_se.exe	ctbow.exe
PID 832 wrote to memory of 1496	832	CF߱Ѫٷµͼ͸_se.exe	ctbow.exe
PID 832 wrote to memory of 1496	832	CF߱Ѫٷµͼ͸_se.exe	ctbow.exe

C:\Users\Admin\AppData\Local\Temp\CF߱Ѫٷµͼ͸_se.exe
"C:\Users\Admin\AppData\Local\Temp\CF߱Ѫٷµͼ͸_se.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\ctbow.exe
C:\Windows\system32\/ctbow.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctbow.exe

Filesize
860KB

MD5
b2d6bacc36f7bd353333e0b420f26d40

SHA1
fc6d42b77e8d897fc5c871d89aa7a646c43a7394

SHA256
6f5451d9d64e6b0c45a17ef0f418f2d43995e2ca384786fb7ccabd49210544bc

SHA512
bb840dd25e808a434fa5934d33c64fd94ae1946412e97f72d9c6e06e3cf85d2783d9ded3cb75e38ea42671b178a45fde1124acddce286508aba6e9e0e58746a1

Download Submit
C:\Windows\SysWOW64\ctbow.exe

Filesize
860KB

MD5
b2d6bacc36f7bd353333e0b420f26d40

SHA1
fc6d42b77e8d897fc5c871d89aa7a646c43a7394

SHA256
6f5451d9d64e6b0c45a17ef0f418f2d43995e2ca384786fb7ccabd49210544bc

SHA512
bb840dd25e808a434fa5934d33c64fd94ae1946412e97f72d9c6e06e3cf85d2783d9ded3cb75e38ea42671b178a45fde1124acddce286508aba6e9e0e58746a1

Download Submit
\Windows\SysWOW64\ctbow.exe

Filesize
860KB

MD5
b2d6bacc36f7bd353333e0b420f26d40

SHA1
fc6d42b77e8d897fc5c871d89aa7a646c43a7394

SHA256
6f5451d9d64e6b0c45a17ef0f418f2d43995e2ca384786fb7ccabd49210544bc

SHA512
bb840dd25e808a434fa5934d33c64fd94ae1946412e97f72d9c6e06e3cf85d2783d9ded3cb75e38ea42671b178a45fde1124acddce286508aba6e9e0e58746a1

Download Submit
\Windows\SysWOW64\ctbow.exe

Filesize
860KB

MD5
b2d6bacc36f7bd353333e0b420f26d40

SHA1
fc6d42b77e8d897fc5c871d89aa7a646c43a7394

SHA256
6f5451d9d64e6b0c45a17ef0f418f2d43995e2ca384786fb7ccabd49210544bc

SHA512
bb840dd25e808a434fa5934d33c64fd94ae1946412e97f72d9c6e06e3cf85d2783d9ded3cb75e38ea42671b178a45fde1124acddce286508aba6e9e0e58746a1

Download Submit
memory/832-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x00000000765D0000-0x0000000076617000-memory.dmp

Filesize
284KB

Download
memory/832-264-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/832-468-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-467-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-466-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-465-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-464-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-473-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-474-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-472-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-471-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-470-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-469-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-477-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-476-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-480-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-481-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-479-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-478-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-475-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-486-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-485-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-484-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-483-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-482-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-489-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-490-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-488-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-487-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-494-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-495-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-493-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-492-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-491-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-497-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-499-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-500-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-498-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-496-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-504-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-505-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-503-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-502-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-501-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-509-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-508-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-507-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-506-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-512-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-514-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-516-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-515-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-513-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-511-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-510-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-517-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-525-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-524-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-523-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-522-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-521-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-520-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-519-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-518-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-1333-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/832-1334-0x00000000024A0000-0x0000000002621000-memory.dmp

Filesize
1.5MB

Download
memory/832-1670-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/832-4541-0x00000000022B0000-0x00000000023C1000-memory.dmp

Filesize
1.1MB

Download
memory/832-4544-0x0000000002630000-0x00000000026D1000-memory.dmp

Filesize
644KB

Download
memory/832-4543-0x0000000002120000-0x0000000002221000-memory.dmp

Filesize
1.0MB

Download
memory/832-4542-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/832-4550-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/832-4551-0x0000000000400000-0x0000000000737000-memory.dmp

Filesize
3.2MB

Download
memory/1496-4547-0x0000000000000000-mapping.dmp

Download