46cb7f71c03050900ea2ea61466a94f0bf1415bb1e4e6c348867062fdd072627

Analysis

max time kernel
4s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 16:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

04b9644b2b61fc9cbdcdb8d614678e35.exe
Size

168KB
MD5

04b9644b2b61fc9cbdcdb8d614678e35
SHA1

4535f1b2e988e7dc0086a057c574f9b1255f02a7
SHA256

46cb7f71c03050900ea2ea61466a94f0bf1415bb1e4e6c348867062fdd072627
SHA512

7209cdc024d7359ed81daee4e106604b5d48809a507e742381bc5997e3e1126834dcf965cb736fd3ae73aabf36b20537a1e63732de850532a7568345da89346f
SSDEEP

3072:bLQvXcvnRshndKAH4r3h2Wm3BWjqLSmP1Vwpn24tUp09LjGe:bLQcnRshdO3oGmnCpn2et

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	04b9644b2b61fc9cbdcdb8d614678e35.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	04b9644b2b61fc9cbdcdb8d614678e35.exe

Executes dropped EXE 1 IoCs

pid	Process
3164	caator.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caator = "C:\\Users\\Admin\\caator.exe /a"	04b9644b2b61fc9cbdcdb8d614678e35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4304	04b9644b2b61fc9cbdcdb8d614678e35.exe
4304	04b9644b2b61fc9cbdcdb8d614678e35.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4304	04b9644b2b61fc9cbdcdb8d614678e35.exe
3164	caator.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 3164	4304	04b9644b2b61fc9cbdcdb8d614678e35.exe	92
PID 4304 wrote to memory of 3164	4304	04b9644b2b61fc9cbdcdb8d614678e35.exe	92
PID 4304 wrote to memory of 3164	4304	04b9644b2b61fc9cbdcdb8d614678e35.exe	92

C:\Users\Admin\AppData\Local\Temp\04b9644b2b61fc9cbdcdb8d614678e35.exe
"C:\Users\Admin\AppData\Local\Temp\04b9644b2b61fc9cbdcdb8d614678e35.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\caator.exe
  "C:\Users\Admin\caator.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\caator.exe

Filesize
91KB

MD5
9a610a9cf0c4e47c1d4fd7f12d1e36a9

SHA1
8c2855daa0113ccf402db3c92211929d66af75a3

SHA256
576b034dcef319d5a65246b0b2c919ad7574511ad7f14ea4d13ebdf554fb59e7

SHA512
12d4c24aa0dddf19feef7c675870ad6e357f9a89427bca511e2894317d9bbe30e2d5180ceb84367ce14fc43e02ae21d399c0dcb1bc04b72e95aa3856fd4edf6f

Download Submit
C:\Users\Admin\caator.exe

Filesize
76KB

MD5
1548a9dc9552986625158abcc907f16c

SHA1
7d4bba8e1527e75c55f6b35ff5e713f3de861dd3

SHA256
e505c803ccc66e36935c40c1573431c71239760d9dc73e3f61cd3d6ada5c262f

SHA512
4153c61bb4977758d96dda29d26fb0887a4c5a95c27ead00f439f7fe80ec6c0ec1d24e627db3183ae2529f4e432b44fe18bd779f490ceae8dcdaebbfce26a10b

Download Submit
C:\Users\Admin\caator.exe

Filesize
129KB

MD5
b4146ea8bfcede3cb2551a541cee04ee

SHA1
180a4a54a5e0cc88e36a26abcad319b297e25e09

SHA256
cf2b9e683ad8a5c0dbab86d9e00d2ac15a1909badcf8922e3af97790d1d0aaf0

SHA512
edc3b575bdf3f54ac2a49326b98910888d34c49d2135194f4420cfd8d664fba913b16cebbc58fe41a1b49f41b5215604244db75aae7e9a89801f5a97d25fda89

Download Submit