fb53d9d52d8bb79d32983a428e7b7067952818cee896209c8c08c8de93de7680

General

Target

file.exe
Size

604KB
MD5

a9c03263c6dd4a1b672955a5ecadc1ff
SHA1

01e2477f49e9916866469e2117e77d55aa613b89
SHA256

fb53d9d52d8bb79d32983a428e7b7067952818cee896209c8c08c8de93de7680
SHA512

4320605e2d21e5a972fcf922c08474653f8a76965dc29704247b83453ea753844e3db7891e451c2ea8f9a6fd1405b96c8f79a0a95d821ef64791b584563257ba
SSDEEP

12288:Fq9i2SvYr3DzQpRqubbdC5QIF/QydtyvscBJeEZLI1kdKKbF7u3fkhJYAP:A9HzHE+mCzQydV6EF4aU

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
324	control.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 1320	1796	file.exe	28
PID 1320 set thread context of 1204	1320	Caspol.exe	16
PID 324 set thread context of 1204	324	control.exe	16

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1320	Caspol.exe
1320	Caspol.exe
1320	Caspol.exe
1320	Caspol.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1320	Caspol.exe
1320	Caspol.exe
1320	Caspol.exe
324	control.exe
324	control.exe
324	control.exe
324	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	Caspol.exe
Token: SeDebugPrivilege	324	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1796 wrote to memory of 1320	1796	file.exe	28
PID 1204 wrote to memory of 324	1204	Explorer.EXE	31
PID 1204 wrote to memory of 324	1204	Explorer.EXE	31
PID 1204 wrote to memory of 324	1204	Explorer.EXE	31
PID 1204 wrote to memory of 324	1204	Explorer.EXE	31
PID 324 wrote to memory of 1096	324	control.exe	34
PID 324 wrote to memory of 1096	324	control.exe	34
PID 324 wrote to memory of 1096	324	control.exe	34
PID 324 wrote to memory of 1096	324	control.exe	34
PID 324 wrote to memory of 1096	324	control.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:684
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
831KB

MD5
05ace2f6d9bef6fd9bbd05ee5262a1f2

SHA1
5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

SHA256
002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

SHA512
1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

Download Submit
memory/324-73-0x0000000000470000-0x00000000004FF000-memory.dmp

Filesize
572KB

Download
memory/324-72-0x00000000020C0000-0x00000000023C3000-memory.dmp

Filesize
3.0MB

Download
memory/324-71-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/324-70-0x0000000000580000-0x000000000059F000-memory.dmp

Filesize
124KB

Download
memory/324-69-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1204-65-0x000007FEF6B30000-0x000007FEF6C73000-memory.dmp

Filesize
1.3MB

Download
memory/1204-74-0x0000000004AE0000-0x0000000004BA2000-memory.dmp

Filesize
776KB

Download
memory/1204-64-0x0000000002A30000-0x0000000002B28000-memory.dmp

Filesize
992KB

Download
memory/1204-75-0x0000000004AE0000-0x0000000004BA2000-memory.dmp

Filesize
776KB

Download
memory/1204-66-0x000007FEE3D90000-0x000007FEE3D9A000-memory.dmp

Filesize
40KB

Download
memory/1320-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-63-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1320-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-62-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

Filesize
3.0MB

Download
memory/1320-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-54-0x0000000000090000-0x000000000012E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing