90023a29b6f8d025835bdd1849146fc5837ffdd78fe9215b36f384f0d1bdc55e

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe
Size

1.4MB
MD5

ad71842100670b6f880e326f2ab71c30
SHA1

f81bd8a7e66d5a76a36d44e37db0b28a8660a040
SHA256

a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330
SHA512

48b0000bd1567dfbc7aadee7c1ad0ea81d475b9e69f176703a0bac3f3bcfaf2f2265c4adf6dc7015a1e6b5effab044b95405e5172c7aa1806e621a730bc58364
SSDEEP

24576:sbq0Msre2kKCzeUl9ReKie1DJ33wIynyTn1hdrKM3xyDSqqw5V+82Y+vRn7DkwSp:W7re2kKlUlqKieDHwIynyTdJ3OSSK82c

Score

8^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

CathayFXConfig.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts CathayFXConfig.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cathayfutures5setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cathayfutures5setup.exe
Executes dropped EXE 3 IoCs

Processes:

CathayFXConfig.execathayfutures5setup.exe

pid process

1720 CathayFXConfig.exe
880 cathayfutures5setup.exe
1344

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	CathayFXConfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cathayfutures5setup.exe

Loads dropped DLL 2 IoCs

Processes:

a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe

pid	process
1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe
1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CathayFXConfig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppName = "\"C:\\Program Files (x86)\\CathayFutures_FX\\CathayFXConfig.exe\""	CathayFXConfig.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

cathayfutures5setup.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 cathayfutures5setup.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	cathayfutures5setup.exe

Drops file in Program Files directory 4 IoCs

Processes:

a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.execathayfutures5setup.exe

description	ioc	process
File created	C:\Program Files (x86)\CathayFutures_FX\CathayFXConfig.exe	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe
File created	C:\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe
File created	C:\Program Files (x86)\CathayFutures_FX\logo tree.ico	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe
File created	C:\Program Files\checkwritepermissions.exe	cathayfutures5setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cathayfutures5setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cathayfutures5setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cathayfutures5setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

cathayfutures5setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	cathayfutures5setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	cathayfutures5setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	cathayfutures5setup.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cathayfutures5setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	cathayfutures5setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	cathayfutures5setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cathayfutures5setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cathayfutures5setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	cathayfutures5setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	cathayfutures5setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	cathayfutures5setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	cathayfutures5setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CathayFXConfig.exe

pid	process
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe
1720	CathayFXConfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CathayFXConfig.exe

description pid process

Token: SeDebugPrivilege 1720 CathayFXConfig.exe

description	pid	process
Token: SeDebugPrivilege	1720	CathayFXConfig.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe

description	pid	process	target process
PID 1700 wrote to memory of 1720	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	CathayFXConfig.exe
PID 1700 wrote to memory of 1720	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	CathayFXConfig.exe
PID 1700 wrote to memory of 1720	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	CathayFXConfig.exe
PID 1700 wrote to memory of 1720	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	CathayFXConfig.exe
PID 1700 wrote to memory of 880	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	cathayfutures5setup.exe
PID 1700 wrote to memory of 880	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	cathayfutures5setup.exe
PID 1700 wrote to memory of 880	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	cathayfutures5setup.exe
PID 1700 wrote to memory of 880	1700	a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe	cathayfutures5setup.exe

C:\Users\Admin\AppData\Local\Temp\a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe
"C:\Users\Admin\AppData\Local\Temp\a8d746ad75f60881430ff0fd0f8f51e8e013953113811a0ed4cd944fdbd09330.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files (x86)\CathayFutures_FX\CathayFXConfig.exe
"C:\Program Files (x86)\CathayFutures_FX\CathayFXConfig.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe
"C:\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CathayFutures_FX\CathayFXConfig.exe
Filesize
13KB

MD5
3cc551c34d632e97a738654da88b6a6f

SHA1
002fbcc1431d19373bc5e374fa0b4faae4d635e8

SHA256
f513bcd0af5ea53dd6b5261fb7d0b1e5680093a852a8ffad724ac2c42b8852a2

SHA512
5feed9524313982a04f412444e830d40a649d1755622a30218f4f9fb072b69e3bcc88b0e42716031f027ba205d35ab14665143864595ae1e93f82d9459413c21

Download Submit
C:\Program Files (x86)\CathayFutures_FX\CathayFXConfig.exe
Filesize
13KB

MD5
3cc551c34d632e97a738654da88b6a6f

SHA1
002fbcc1431d19373bc5e374fa0b4faae4d635e8

SHA256
f513bcd0af5ea53dd6b5261fb7d0b1e5680093a852a8ffad724ac2c42b8852a2

SHA512
5feed9524313982a04f412444e830d40a649d1755622a30218f4f9fb072b69e3bcc88b0e42716031f027ba205d35ab14665143864595ae1e93f82d9459413c21

Download Submit
C:\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe
Filesize
3.2MB

MD5
040ea631816d4e633dcd474234166afc

SHA1
68fa6b03207d1c309227d1c6ee3a139110dd0f67

SHA256
9aeed6e78d292d03eb09c8ade57ef76043281782c2862b063116b2aecf3b1b3b

SHA512
b1cf28e2ebdfa4ab84d914bb17a5548287193af192ce7d1be4f23126ba86c6e465cd6773788dbf3e6496ed0d37b208a843facfa68ecc1d1454116c1c6099759f

Download Submit
C:\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe
Filesize
3.2MB

MD5
040ea631816d4e633dcd474234166afc

SHA1
68fa6b03207d1c309227d1c6ee3a139110dd0f67

SHA256
9aeed6e78d292d03eb09c8ade57ef76043281782c2862b063116b2aecf3b1b3b

SHA512
b1cf28e2ebdfa4ab84d914bb17a5548287193af192ce7d1be4f23126ba86c6e465cd6773788dbf3e6496ed0d37b208a843facfa68ecc1d1454116c1c6099759f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A4AA6A226E1870F0261713C59F1CB84
Filesize
983B

MD5
42f8529fe545103fdd848980a8647f29

SHA1
ca7788c32da1e4b7863a4fb57d00b55ddacbc7f9

SHA256
a6cf64dbb4c8d5fd19ce48896068db03b533a8d1336c6256a87d00cbb3def3ea

SHA512
1a3994c12d65e9c96b4c4ebcf79e8b291b620177520a7d0482a2b6043dd150a9f2ce1627d130309390e3ac6be98af5f2b50c1993c478976d0c9a9638c46a61bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fbefe321bb41a3a5d7ccef21ee567614

SHA1
bb5a838d3238a396c1ad69ecc00ec0b89fe0527d

SHA256
f52d1f9f9b751fab04903200e36520f97726067613e83f7328c0ce0bc7f75ffb

SHA512
7649adec5023d61b9aa5bc3e173431acd2de245782623af7ed9774d4355a81ad0b73ea667a0448cf74a1bebaebb2057d367f7b3acab3fcbd3eb920830af98b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE84.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF04.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
\Program Files (x86)\CathayFutures_FX\CathayFXConfig.exe
Filesize
13KB

MD5
3cc551c34d632e97a738654da88b6a6f

SHA1
002fbcc1431d19373bc5e374fa0b4faae4d635e8

SHA256
f513bcd0af5ea53dd6b5261fb7d0b1e5680093a852a8ffad724ac2c42b8852a2

SHA512
5feed9524313982a04f412444e830d40a649d1755622a30218f4f9fb072b69e3bcc88b0e42716031f027ba205d35ab14665143864595ae1e93f82d9459413c21

Download Submit
\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe
Filesize
3.2MB

MD5
040ea631816d4e633dcd474234166afc

SHA1
68fa6b03207d1c309227d1c6ee3a139110dd0f67

SHA256
9aeed6e78d292d03eb09c8ade57ef76043281782c2862b063116b2aecf3b1b3b

SHA512
b1cf28e2ebdfa4ab84d914bb17a5548287193af192ce7d1be4f23126ba86c6e465cd6773788dbf3e6496ed0d37b208a843facfa68ecc1d1454116c1c6099759f

Download Submit
\Program Files (x86)\CathayFutures_FX\cathayfutures5setup.exe
Filesize
3.2MB

MD5
040ea631816d4e633dcd474234166afc

SHA1
68fa6b03207d1c309227d1c6ee3a139110dd0f67

SHA256
9aeed6e78d292d03eb09c8ade57ef76043281782c2862b063116b2aecf3b1b3b

SHA512
b1cf28e2ebdfa4ab84d914bb17a5548287193af192ce7d1be4f23126ba86c6e465cd6773788dbf3e6496ed0d37b208a843facfa68ecc1d1454116c1c6099759f

Download Submit
memory/880-76-0x00000000046E0000-0x00000000046F7000-memory.dmp

Filesize
92KB

Download
memory/880-87-0x0000000004E90000-0x0000000004EAE000-memory.dmp

Filesize
120KB

Download
memory/880-73-0x00000000027E0000-0x00000000028E9000-memory.dmp

Filesize
1.0MB

Download
memory/880-74-0x0000000003EA0000-0x0000000003F39000-memory.dmp

Filesize
612KB

Download
memory/880-75-0x0000000003F60000-0x0000000003FE6000-memory.dmp

Filesize
536KB

Download
memory/880-67-0x0000000000200000-0x000000000021F000-memory.dmp

Filesize
124KB

Download
memory/880-77-0x00000000047A0000-0x00000000047B4000-memory.dmp

Filesize
80KB

Download
memory/880-78-0x00000000047C0000-0x00000000047D4000-memory.dmp

Filesize
80KB

Download
memory/880-79-0x0000000004960000-0x0000000004A42000-memory.dmp

Filesize
904KB

Download
memory/880-80-0x00000000047E0000-0x0000000004807000-memory.dmp

Filesize
156KB

Download
memory/880-66-0x00000000009C0000-0x0000000000A89000-memory.dmp

Filesize
804KB

Download
memory/880-83-0x0000000004000000-0x0000000004055000-memory.dmp

Filesize
340KB

Download
memory/880-84-0x0000000004980000-0x0000000004997000-memory.dmp

Filesize
92KB

Download
memory/880-85-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/880-86-0x0000000004E30000-0x0000000004E87000-memory.dmp

Filesize
348KB

Download
memory/880-72-0x00000000021B0000-0x00000000023C5000-memory.dmp

Filesize
2.1MB

Download
memory/880-88-0x0000000004FC0000-0x0000000004FDB000-memory.dmp

Filesize
108KB

Download
memory/880-89-0x00000000053F0000-0x0000000005416000-memory.dmp

Filesize
152KB

Download
memory/880-90-0x0000000005420000-0x0000000005472000-memory.dmp

Filesize
328KB

Download
memory/880-92-0x0000000005590000-0x00000000055AA000-memory.dmp

Filesize
104KB

Download
memory/880-100-0x00000000057B0000-0x00000000057CA000-memory.dmp

Filesize
104KB

Download
memory/880-70-0x0000000002070000-0x0000000002195000-memory.dmp

Filesize
1.1MB

Download
memory/880-68-0x0000000001900000-0x0000000001971000-memory.dmp

Filesize
452KB

Download
memory/880-69-0x0000000001E80000-0x0000000001EA2000-memory.dmp

Filesize
136KB

Download
memory/880-131-0x0000000006C70000-0x0000000006CE1000-memory.dmp

Filesize
452KB

Download
memory/880-133-0x0000000006CF0000-0x0000000006D54000-memory.dmp

Filesize
400KB

Download
memory/880-134-0x0000000005990000-0x00000000059A8000-memory.dmp

Filesize
96KB

Download
memory/880-139-0x0000000006280000-0x000000000629A000-memory.dmp

Filesize
104KB

Download
memory/880-65-0x0000000000890000-0x00000000009BD000-memory.dmp

Filesize
1.2MB

Download
memory/880-190-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/880-64-0x0000000000660000-0x00000000006FF000-memory.dmp

Filesize
636KB

Download
memory/1720-71-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download