1a34455ce3bb799c173bd51995e88758b9642a5533b787fa1f5c9c08788ca1c6

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f471a4d1e7daa886b6cf9c48c6151d3.exe
Size

343KB
MD5

1f471a4d1e7daa886b6cf9c48c6151d3
SHA1

788524420449df47b9ee204a7a4329b8b8d2d07c
SHA256

1a34455ce3bb799c173bd51995e88758b9642a5533b787fa1f5c9c08788ca1c6
SHA512

d7f2af2af556798d99737acbb51dc362ec74e2d9d55479297c9c7e6d591728a30311c77d28de35cf62349595087feaaf4418710212c3f590db8195b69b6d2933
SSDEEP

6144:bOu/NbK2QmH07fNCtkZyAZC3ijwd1m3KQwIUy61CaJDnWuVVoD4z2kG283tmzdqy:Xe2QocXZrZD61m3wIba5xVZzVG28Odqy

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3016	cacaoweb.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	1f471a4d1e7daa886b6cf9c48c6151d3.exe
3012	1f471a4d1e7daa886b6cf9c48c6151d3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-13-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3012-10-0x0000000003740000-0x0000000003835000-memory.dmp	upx
behavioral1/memory/3012-9-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/files/0x0036000000015cb3-3.dat	upx
behavioral1/memory/3016-22-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-452-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-451-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-453-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-454-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-455-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-456-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-502-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-890-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-891-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-892-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-893-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-894-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-895-0x0000000000400000-0x00000000004F5000-memory.dmp	upx
behavioral1/memory/3016-896-0x0000000000400000-0x00000000004F5000-memory.dmp	upx

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	76.73.18.50
Destination IP	76.73.18.50
Destination IP	76.73.18.50
Destination IP	94.23.217.216
Destination IP	94.23.217.216
Destination IP	94.23.217.216
Destination IP	76.73.18.50
Destination IP	94.23.217.216
Destination IP	94.23.217.216
Destination IP	76.73.18.50
Destination IP	94.23.217.216
Destination IP	94.23.217.216
Destination IP	76.73.18.50
Destination IP	76.73.18.50
Destination IP	94.23.217.216
Destination IP	76.73.18.50

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\cacaoweb = "\"C:\\Users\\Admin\\AppData\\Roaming\\cacaoweb\\cacaoweb.exe\" -noplayer"	cacaoweb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ecd8b59f3cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410267799"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1662F31-A892-11EE-9905-C2500A176F17} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000c679011520dc05bf93aa2cfc8f042183ebc6da007c4c0b1ce2944490c488ce2d000000000e8000000002000020000000b063ab5a2f93f8b0bc83fb32d5b1faabae1b3236b30fcb97fe43e1142f4cd60620000000220564aa91cb7f5c57c17bf64d9d8372f21207db4c7db21722e2e4c2acc6d7344000000047c376d8020319ecf00e5bcea06d246eec640253c7a4ade56bf148f188ea4e8165aac331f496f7350af9c9cbd708ecdf3ac0e0fb661454429b576783c864ba53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000084f7dfac3b40fe444e5eeb22e6c2ab134b6ad9cfe27dc10c89068805a710e9b3000000000e80000000020000200000009c43dd8ac135a4c8892d397c4adcd3479be42a619bd244aa4d79bd80c966367490000000fa743a79cb960a9b420d27f5568815309ba4494dd7b0a255e9f7e378ca656b8dad47c3c80217e67423fbeb98f7c43d0d2eafe2c374ac66f4f204d6935d9e7ea3c351fe8cae8d2774571275adf97bc9681524c7ac236883956fd30ab261f1675efec243ea76296352bc380228043fd8d216c29a603f0fb06523d966584862e16715e2c305040329b4b675f33658b0e16840000000d3ed14067fb02e619b4037d9ad85987f42d532faa61b15d02b537894cc8a5e9992be4cffc94a25c91d475c4a73b7d7c211669e458898c9655c825c0b240c5645	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2828	iexplore.exe
2828	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3016	3012	1f471a4d1e7daa886b6cf9c48c6151d3.exe	28
PID 3012 wrote to memory of 3016	3012	1f471a4d1e7daa886b6cf9c48c6151d3.exe	28
PID 3012 wrote to memory of 3016	3012	1f471a4d1e7daa886b6cf9c48c6151d3.exe	28
PID 3012 wrote to memory of 3016	3012	1f471a4d1e7daa886b6cf9c48c6151d3.exe	28
PID 3016 wrote to memory of 2828	3016	cacaoweb.exe	32
PID 3016 wrote to memory of 2828	3016	cacaoweb.exe	32
PID 3016 wrote to memory of 2828	3016	cacaoweb.exe	32
PID 3016 wrote to memory of 2828	3016	cacaoweb.exe	32
PID 2828 wrote to memory of 2500	2828	iexplore.exe	31
PID 2828 wrote to memory of 2500	2828	iexplore.exe	31
PID 2828 wrote to memory of 2500	2828	iexplore.exe	31
PID 2828 wrote to memory of 2500	2828	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\1f471a4d1e7daa886b6cf9c48c6151d3.exe
"C:\Users\Admin\AppData\Local\Temp\1f471a4d1e7daa886b6cf9c48c6151d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Roaming\cacaoweb\cacaoweb.exe
  C:\Users\Admin\AppData\Roaming\cacaoweb\cacaoweb.exe -reboot
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://local.cacaoweb.org:4001/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b5c803e3f855b19782a42073b883980

SHA1
a27cd5c82ec8561efb90a4de862d5fc95782d4af

SHA256
3fb776b386302fdde7eebc90a09b64682dc1b30c2f5aea8a5f145d280134ca97

SHA512
b07d064ad77ca1e7dfd3820beb99c0ab01526d495fcc0e12a21a0a42f286d2e041299206a4769497908ad915c2771fd72f270b3253c19c48341c98effc3413ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c3c912a3bfb272b73c9567dd1ca01ca

SHA1
37b2b49ae919c7a7f78ba739d875d8b38b427052

SHA256
6093acb622a2f3cd5d0d92af7503a6da96d9a002b291567679e8d24b50cfd359

SHA512
aaaae3c9c62566515b0dfff7600bf597f8dfe3eb897ed7c6d68b67e0db88a45800cd5993ab3d6a4b9594506360a6d419990b7caa67842c6c2803fd09f182ebf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
509b914ec8c5021fce13150a4babdbe9

SHA1
09d9cab9fc17e8df5b50f3afe00633f3874e31f0

SHA256
a1f933a58b6b662aebf036fa5a07a2625d0e88add6df1421ad32dcc808b1642e

SHA512
d7f5104dde9e774416061a492a058845499985f72a45b79df55cf556ee34bcab96e5fd14df6e077c4f59086f99f82b294f77d39a3f9f96281c2237674532c42b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
051f59ae4e6e44e5c262bbcad2004ce2

SHA1
eecf35838d9b9d6cc9163cd325b2d756b0ca7ce3

SHA256
f06f9bb71329920e48a8e57d5cd9c6909cbb6f29329a4a712303c17d6a9c3cbe

SHA512
3f22bdf016b98c2bb7ef62ced1ea95d92c5c76528d4e10486f7ac5c70ec894cb5db1cd61f55e3f6dacade202cbd93c4a09d3983e36b63c43eb537fb41caa355d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab482A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
memory/3012-0-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3012-10-0x0000000003740000-0x0000000003835000-memory.dmp

Filesize
980KB

Download
memory/3012-9-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-455-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-22-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-454-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-451-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-456-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-502-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-452-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-453-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-13-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-890-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-891-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-892-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-893-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-894-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-895-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/3016-896-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads