35ee95623d1fc8166a773f25f9e8a4c26a5c9b583e897a499aaf96a03dba2fd5

General

Target

Confirmation_10Feb2023_102510.exe
Size

736KB
MD5

7cfb8021bf676f15ee5232ee793bdf7d
SHA1

4904fd2d88cfdfcfca8a0b0ef855142792cc55a5
SHA256

35ee95623d1fc8166a773f25f9e8a4c26a5c9b583e897a499aaf96a03dba2fd5
SHA512

f8f0a48256e252e7c53b6d9147260553c5e755cfeb9bec2f2f28cc45050e5cf647f89ada36db87813885b92beeacf5ad88a91ee828268b547347d67cd445044c
SSDEEP

12288:3TqWinskP5tlFjD2zEl3HB2jC37DXjbMppIp7KmmeyrJ:DqNnskBtlFjD2zExsC37TvMppIMukJ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
688	ipconfig.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 580 set thread context of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 912 set thread context of 1268	912	Caspol.exe	15
PID 688 set thread context of 1268	688	ipconfig.exe	15

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
688	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
912	Caspol.exe
912	Caspol.exe
912	Caspol.exe
912	Caspol.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
912	Caspol.exe
912	Caspol.exe
912	Caspol.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe
688	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	Confirmation_10Feb2023_102510.exe
Token: SeDebugPrivilege	912	Caspol.exe
Token: SeDebugPrivilege	688	ipconfig.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 580 wrote to memory of 912	580	Confirmation_10Feb2023_102510.exe	28
PID 1268 wrote to memory of 688	1268	Explorer.EXE	29
PID 1268 wrote to memory of 688	1268	Explorer.EXE	29
PID 1268 wrote to memory of 688	1268	Explorer.EXE	29
PID 1268 wrote to memory of 688	1268	Explorer.EXE	29
PID 688 wrote to memory of 1616	688	ipconfig.exe	32
PID 688 wrote to memory of 1616	688	ipconfig.exe	32
PID 688 wrote to memory of 1616	688	ipconfig.exe	32
PID 688 wrote to memory of 1616	688	ipconfig.exe	32
PID 688 wrote to memory of 1616	688	ipconfig.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\Confirmation_10Feb2023_102510.exe
  "C:\Users\Admin\AppData\Local\Temp\Confirmation_10Feb2023_102510.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
819KB

MD5
eda40ea55ff2eb2a2e5aca836bb1cc26

SHA1
6de11b4b121bc8b9b87b05ddbdd6eda4e9442c37

SHA256
330b88eacb778b86dff1a90189121e8b3280723be9fbf4e55174ede2bbf74af0

SHA512
caf63f50931f76ec919528dedfb8b6ee14590f5aa33f91a6b9c24f63c0f3851cffdc16eab976ee7d6140f383050050d26f3547743b5ae772001b8f6199f0a4fc

Download Submit
memory/580-55-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/580-56-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/580-57-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/580-54-0x0000000000320000-0x00000000003D8000-memory.dmp

Filesize
736KB

Download
memory/688-74-0x0000000000A40000-0x0000000000ACF000-memory.dmp

Filesize
572KB

Download
memory/688-73-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/688-71-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/688-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/688-70-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/912-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-66-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/912-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-65-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

Filesize
3.0MB

Download
memory/912-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-67-0x0000000003BA0000-0x0000000003C55000-memory.dmp

Filesize
724KB

Download
memory/1268-75-0x0000000004A10000-0x0000000004AB8000-memory.dmp

Filesize
672KB

Download
memory/1268-76-0x0000000004A10000-0x0000000004AB8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing