73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7

General

Target

73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
Size

255KB
MD5

bfd148a3b0d7c27c34c0268ea8b3bea2
SHA1

600d36d821981934a405a29152d93d0a9b1feb4d
SHA256

73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7
SHA512

367f9fa97307728333102c9a296534192bb9c5e32c0cb765de5d214808a858d5e517b654d20e569dbc431983d989b3512cc04a8f8663cfa48d6d667bbb76192c
SSDEEP

6144:7UnITMpSph0lMqqgWoDhujqcQQbxJhVGvkVbOcH4CIMw:7CQMY07qgWo6VVGvkVLAt

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat	upx
behavioral2/memory/1576-140-0x00007FFD0A040000-0x00007FFD0A0AD000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

pid process

2316 regsvr32.exe
3068 regsvr32.exe
1576 explorer.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2316	regsvr32.exe
3068	regsvr32.exe
1576	explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe

Modifies registry class 49 IoCs

Processes:

regsvr32.exeexplorer.exeSearchApp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Carefree\\plugin.dat"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ = "ICarefreeIdentifier"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{CD361417-5596-4174-AE34-D3B29EA33326}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\ = "DDIAF10 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ = "ICarefreeIdentifier"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}\1.0\ = "CarefreePluginLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib\ = "{3692066A-7A10-4CB5-AFF3-9DDE336E97AB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45615F2E-872A-4F2D-9A08-475EC8605620}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1234066A-7A10-4CB5-AFF3-AF10EA08E0DE}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exeexplorer.exe

pid	process
4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1576	explorer.exe
Token: SeCreatePagefilePrivilege	1576	explorer.exe
Token: SeShutdownPrivilege	1576	explorer.exe
Token: SeCreatePagefilePrivilege	1576	explorer.exe
Token: SeShutdownPrivilege	1576	explorer.exe
Token: SeCreatePagefilePrivilege	1576	explorer.exe
Token: SeShutdownPrivilege	1576	explorer.exe
Token: SeCreatePagefilePrivilege	1576	explorer.exe
Token: SeShutdownPrivilege	1576	explorer.exe
Token: SeCreatePagefilePrivilege	1576	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

explorer.exe

pid process

1576 explorer.exe
1576 explorer.exe
1576 explorer.exe
1576 explorer.exe
1576 explorer.exe
1576 explorer.exe
1576 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe
1576	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exeregsvr32.exe

description	pid	process	target process
PID 4356 wrote to memory of 2316	4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe	regsvr32.exe
PID 4356 wrote to memory of 2316	4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe	regsvr32.exe
PID 4356 wrote to memory of 2316	4356	73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe	regsvr32.exe
PID 2316 wrote to memory of 3068	2316	regsvr32.exe	regsvr32.exe
PID 2316 wrote to memory of 3068	2316	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe
"C:\Users\Admin\AppData\Local\Temp\73b6e9ef24b30ad12677ec0138c6afd62b469142fc41bf3bb68760af804b3ab7.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:3068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
7e8e213eea8a40217ad7f208497e85e5

SHA1
3ddba9be99475c3157643a18b2b75e711aa302c8

SHA256
2bc07b4de43cc1d0ae7f563d77792dd0f1a955cb3f88a55433755ebc12b01e90

SHA512
5abf9bfd5d32f905ad4f540249ae11177993a2f03a36a32e9f2b4ffa2c03979925038fde7bd0442659825e176588561ad8214280d2e41d14662f43c4e16feb68

Download Submit
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
7e8e213eea8a40217ad7f208497e85e5

SHA1
3ddba9be99475c3157643a18b2b75e711aa302c8

SHA256
2bc07b4de43cc1d0ae7f563d77792dd0f1a955cb3f88a55433755ebc12b01e90

SHA512
5abf9bfd5d32f905ad4f540249ae11177993a2f03a36a32e9f2b4ffa2c03979925038fde7bd0442659825e176588561ad8214280d2e41d14662f43c4e16feb68

Download Submit
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
7e8e213eea8a40217ad7f208497e85e5

SHA1
3ddba9be99475c3157643a18b2b75e711aa302c8

SHA256
2bc07b4de43cc1d0ae7f563d77792dd0f1a955cb3f88a55433755ebc12b01e90

SHA512
5abf9bfd5d32f905ad4f540249ae11177993a2f03a36a32e9f2b4ffa2c03979925038fde7bd0442659825e176588561ad8214280d2e41d14662f43c4e16feb68

Download Submit
C:\Users\Admin\AppData\Roaming\Carefree\plugin.dat
Filesize
95KB

MD5
7e8e213eea8a40217ad7f208497e85e5

SHA1
3ddba9be99475c3157643a18b2b75e711aa302c8

SHA256
2bc07b4de43cc1d0ae7f563d77792dd0f1a955cb3f88a55433755ebc12b01e90

SHA512
5abf9bfd5d32f905ad4f540249ae11177993a2f03a36a32e9f2b4ffa2c03979925038fde7bd0442659825e176588561ad8214280d2e41d14662f43c4e16feb68

Download Submit
C:\Users\Admin\AppData\Roaming\SogouPinyin.local
Filesize
89B

MD5
3de1bc39f2243e62302fbe487f76b010

SHA1
631cbfcd260645c5272252e1da2e0f2cac48b2db

SHA256
ebfe3dfc1da2cbb448c5e9086cceedcf92be0ab3d1ade0044ec6e88b981deda6

SHA512
90f8f36c1a2637652e70bbc13a5a2ff32fd75b6c28fa6b24dd359211c2db57b44a67ab566cd27765615326629359fb3e39786c9ed5ab5e6c6945097cd6eb1ab0

Download Submit
memory/1576-140-0x00007FFD0A040000-0x00007FFD0A0AD000-memory.dmp

Filesize
436KB

Download
memory/2316-132-0x0000000000000000-mapping.dmp

Download
memory/2316-135-0x00000000028E0000-0x000000000294D000-memory.dmp

Filesize
436KB

Download
memory/3068-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads