676776431fd9c95d10ffc1744598eb2ca0c63f372b9b5d005d704ed7c0880914

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caidao.exe
Size

684KB
MD5

7cd5b85045f9da3f0211c1b5f4e88bc6
SHA1

ea6c08ae2b56b70d04a2083ab974b834fff00a06
SHA256

fe596c9a614fa48a6c740f595a245878a1c0710c4205272c02e4325283f57481
SHA512

2aa8cda8c37d074ed53c8e0ce06f0230efdea295b9a42f7a33de7feb6be4843accbdef9ac737780fb32cb840b576ffe16729c45be2746951f69c45fb6a2b75f2
SSDEEP

12288:SOQHGMEAAb7O718w6wKk4gKN3BAdMdLmpoMunR:SOQHGvAG7OOw6wFdMdI8nR

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral11/memory/1356-56-0x0000000000220000-0x0000000000253000-memory.dmp	vmprotect
behavioral11/memory/1356-59-0x0000000000220000-0x0000000000253000-memory.dmp	vmprotect
behavioral11/memory/1356-60-0x0000000000220000-0x0000000000253000-memory.dmp	vmprotect

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

caidao.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TypedURLs	caidao.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

caidao.exe

pid process

1356 caidao.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

caidao.exe

pid	process
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

caidao.exe

pid	process
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe
1356	caidao.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

caidao.exe

pid process

1356 caidao.exe
1356 caidao.exe
1356 caidao.exe
1356 caidao.exe
1356 caidao.exe
1356 caidao.exe

C:\Users\Admin\AppData\Local\Temp\caidao.exe
"C:\Users\Admin\AppData\Local\Temp\caidao.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1356-56-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1356-55-0x0000000000221000-0x0000000000225000-memory.dmp

Filesize
16KB

Download
memory/1356-59-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1356-60-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download