Overview

overview

7

Static

static

3

CapCut_2_2..._0.exe

windows10-1703-x64

7

Resubmissions

13/07/2023, 13:45

230713-q2d1jsgh87 7

11/07/2023, 19:06

230711-xr6fdabf3v 7

11/07/2023, 19:04

230711-xq3cbsae78 3

11/07/2023, 18:41

230711-xb55nsae49 7

11/07/2023, 18:30

230711-w5nbaaae42 7

Analysis

  • max time kernel
    269s
  • max time network
    275s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/07/2023, 13:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CapCut_2_2_0_491_capcutpc_0/CapCut_2_2_0_491_capcutpc_0.exe

  • Size

    58.6MB

  • MD5

    bbe506388a97274805cc8d3c91cf67ac

  • SHA1

    b2896db7d28fe66c612d900971ca05a9f7c37429

  • SHA256

    d6aee63ffe429ddb9340090bff2127efad340240954364f1c996a8da6b711374

  • SHA512

    4d27b1de445be7440b3c80e4070b60aefabf2cad45e2f73acfed79675ef8af2dd12c696e3f6adebbe9a7a809160ecbd672260ffa8e8e0b7b75462b9d89adfa95

  • SSDEEP

    393216:SQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgd96l+ZArYsFRlLNK:S3on1HvSzxAMNdFZArYsTNSgIm1G

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Kills process with taskkill 8 IoCs
    evasion
  • Modifies registry key 1 TTPs 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CapCut_2_2_0_491_capcutpc_0\CapCut_2_2_0_491_capcutpc_0.exe
    "C:\Users\Admin\AppData\Local\Temp\CapCut_2_2_0_491_capcutpc_0\CapCut_2_2_0_491_capcutpc_0.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4568
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM msedge.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:512
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM msedge.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3080
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:2996
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf
      2⤵
      • Modifies registry key
      PID:4792
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:3732
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\pdf.exe\"" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:1124
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0 /t REG_SZ /d "\"C:\Users\Admin\CapCut_2_2_0_491_capcutpc_0.exe\"" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:2972
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0 /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\CapCut_2_2_0_491_capcutpc_0\CapCut_2_2_0_491_capcutpc_0.exe\"" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5068
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM msedge.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3276
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4328
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM msedge.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM msedge.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:3396
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf
      2⤵
      • Modifies registry key
      PID:4968
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:4428
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:596
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf
      2⤵
      • Modifies registry key
      PID:2936
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:1016
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:1948
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf
      2⤵
      • Modifies registry key
      PID:1208
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:4148
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:1900
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf
      2⤵
      • Modifies registry key
      PID:2076
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CapCut_2_2_0_491_capcutpc_0
      2⤵
      • Modifies registry key
      PID:1548

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\pkg\53314136803bee54998b66527ced96f94ab72873b2f1f6d9ed1d4756953e5200\node-hide-console-window\build\Release\node-hide-console-window.node
          Filesize

          543KB

          MD5

          6329047bb7875fe4a099ca17b9f69f73

          SHA1

          f175746cc83bc88cf54c2759a242b26ca8315976

          SHA256

          53314136803bee54998b66527ced96f94ab72873b2f1f6d9ed1d4756953e5200

          SHA512

          c4216a2ebb8513d7c3252a9bad797a5ec6478d838f8c1f730754e3dc0d8d9882d810fe8f9f153fdb8a47692180b58b1ae68e507bc1a3f94b8daee114a59a85b9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\pkg\59be25e415e9285417ad98474b3d3a51935117d01245e8e1f6a9bfbb1e762197\win32crypt\build\Release\win32crypt.node
          Filesize

          572KB

          MD5

          f8f8ade6fcdebdb26ab774968842d90c

          SHA1

          e9b203eb92a2779031ebb4eb1fd3892df04fd78f

          SHA256

          59be25e415e9285417ad98474b3d3a51935117d01245e8e1f6a9bfbb1e762197

          SHA512

          c21851a71f319271e1bbf65feb52989a64940d9bd425970c1a7fbca98f2b5f8e9245d9cb8a1581d8970d833ac6fb4a1b1fe78a9b04f2d056de86c59bb87a1f0a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
          Filesize

          1.8MB

          MD5

          3072b68e3c226aff39e6782d025f25a8

          SHA1

          cf559196d74fa490ac8ce192db222c9f5c5a006a

          SHA256

          7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

          SHA512

          61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

          Download Submit