Overview

overview

6

Static

static

1

URLScan

urlscan

https://github.com/c...

windows10-2004-x64

6

Analysis

  • max time kernel
    101s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2023, 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/cheto8ballpool/8-ball-pool-cheto/blob/main/Cheto%205.10.2.zip

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/cheto8ballpool/8-ball-pool-cheto/blob/main/Cheto%205.10.2.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3228 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3628
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1480
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Cheto 5.10.2.zip\MASTER 8BP.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Cheto 5.10.2.zip\MASTER 8BP.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Cheto 5.10.2.zip\MASTER 8BP.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Cheto 5.10.2.zip\MASTER 8BP.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4420

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      c8acc7ebd0274710ad136e9ebbf77b30

      SHA1

      d99222d014b6694013aca886e37094c480120566

      SHA256

      5faffea9fd8c3fd5cccb9acb4fc3dcda1b50e9f69e382acb3e07c893918a53d5

      SHA512

      8f030769ed0daa410468084783ec029e4a26697b8c684c18d270c459b84ca9b2359511540e37db2b35561893d72c314d273af066b623cbb3b49e7cd28ce2ecee

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      4fa73c503dae07d9a8ff202ea4ec198e

      SHA1

      97c634957c71c616fa29b97cf0e87b8a259f249d

      SHA256

      0817c0c3c87c8068d753d005065b63e9dc724a81792a28f58fd879530b258af7

      SHA512

      d4b128d26a9b36119669ac9a09effa2586b549c8f48ee8ab5e292e05014176450eaae7d290ddbd72e65dc93f4b96489e6aa3b58746f5f107fd9d1bb553a79380

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF283.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat
      Filesize

      1KB

      MD5

      1725c173b6763ab68f23fe853c4b7b1f

      SHA1

      d2a16032178ff9f0f8921ad71607c781a0f75619

      SHA256

      5aa950036f8b85fe5eff0fb0f2c39a0346711e134607e1463156d66858647571

      SHA512

      380b92516ff7b2d613c009949c601cc7b12e5a285fb553309a3981720a3f7192d188f52eaafac41982ddd6f5f18802c2d464f0c12552f0158fb0b4e130713091

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\Cheto 5.10.2.zip.qvip9tq.partial
      Filesize

      1.1MB

      MD5

      efa709d98fe3e570f7bdf43bda1716c2

      SHA1

      e04eebb3f7502122cf25fd1a565dbfdaf1f8adb7

      SHA256

      d21e497395d55646d4ef8f1f308027a727681f2f70d2e897afc6112cdc467f40

      SHA512

      e46a419e3f6b753784b6a5c4751e41c26f70340a378cbfb4817949cda91338f0b43711591934c351f65e8352330d361fac768bb457d262573f34060b37d70be1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\Cheto%205.10.2[1].zip
      Filesize

      1.1MB

      MD5

      efa709d98fe3e570f7bdf43bda1716c2

      SHA1

      e04eebb3f7502122cf25fd1a565dbfdaf1f8adb7

      SHA256

      d21e497395d55646d4ef8f1f308027a727681f2f70d2e897afc6112cdc467f40

      SHA512

      e46a419e3f6b753784b6a5c4751e41c26f70340a378cbfb4817949cda91338f0b43711591934c351f65e8352330d361fac768bb457d262573f34060b37d70be1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\favicon[1].png
      Filesize

      958B

      MD5

      346e09471362f2907510a31812129cd2

      SHA1

      323b99430dd424604ae57a19a91f25376e209759

      SHA256

      74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

      SHA512

      a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit