5341b3921b75549adbe59365517c30bd045e63162728d9ba48f79832fea1bea0

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Connectify.exe
Size

1.3MB
MD5

b05b39eaf75a2bf3b7a48de21ec53bf2
SHA1

246859e734f9bef2af407ff68edb0083db8cb6d8
SHA256

dfa9801d4bd605daeca0c170b27a5ca9fe6a062db7dd14390b59a5facd15e1dd
SHA512

c16c076890eef5e7217e3493513cd707c5a98ef6a18aa950212ba428a1fa4a9b85f336d1e9bf98540dff11286fc3cc9b22eca25ec8740aeaf8ac68d0f1c2b837
SSDEEP

12288:G6hgH2p/dQmKaUQKaUDpFwYBzKgKfLu/GwKaUd:G6hgS/CmjLjWpGYJKgaLuHjk

Score

1^/10

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

Connectify.exe

pid	process
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

Connectify.exe

pid	process
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe
2088	Connectify.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Connectify.exe

pid process

2088 Connectify.exe
2088 Connectify.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Connectify.execsc.execsc.execsc.exe

description	pid	process	target process
PID 2088 wrote to memory of 2900	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 2900	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 2900	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 2900	2088	Connectify.exe	csc.exe
PID 2900 wrote to memory of 2968	2900	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2968	2900	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2968	2900	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2968	2900	csc.exe	cvtres.exe
PID 2088 wrote to memory of 744	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 744	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 744	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 744	2088	Connectify.exe	csc.exe
PID 744 wrote to memory of 1856	744	csc.exe	cvtres.exe
PID 744 wrote to memory of 1856	744	csc.exe	cvtres.exe
PID 744 wrote to memory of 1856	744	csc.exe	cvtres.exe
PID 744 wrote to memory of 1856	744	csc.exe	cvtres.exe
PID 2088 wrote to memory of 2028	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 2028	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 2028	2088	Connectify.exe	csc.exe
PID 2088 wrote to memory of 2028	2088	Connectify.exe	csc.exe
PID 2028 wrote to memory of 3052	2028	csc.exe	cvtres.exe
PID 2028 wrote to memory of 3052	2028	csc.exe	cvtres.exe
PID 2028 wrote to memory of 3052	2028	csc.exe	cvtres.exe
PID 2028 wrote to memory of 3052	2028	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\Connectify.exe
"C:\Users\Admin\AppData\Local\Temp\Connectify.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iklxudqw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60D6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC60D5.tmp"
3⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnk1ul3o.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61D0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC61CF.tmp"
3⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\arngu2k_.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C5B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6C4A.tmp"
3⤵
PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5939.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES60D6.tmp

Filesize
1KB

MD5
4cce6cf1704a26569a272c0875437a45

SHA1
6043b9cc63f89de6f9a6d26fb3ee6bb4ef7bac49

SHA256
39b8c83457280df99914658fda04e81ac617ec920533ab43706292c88dab1ec0

SHA512
c028b5c4d1b7b0338dbf7fa768f7e7c7364c6c113b4a2b87d09a4bdcd3c2cf8897f47e381e3eb8036227099044ed621a2eac34670bdf9b04363928ccef05b4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES61D0.tmp

Filesize
1KB

MD5
f312e824c6a3d8b16ccc6b9b3e78a72b

SHA1
f71970d6e2e26cdcdbe4feb35f877c2c969d31b5

SHA256
cc9f5a4eac7c61980a19febb30ac4727974c89f640a84672f31c7051c99da3d5

SHA512
a3f880c6e71b8ead4da296aa8e0ca8d9fa6c7f9889445a44cc07dc50f3743804564802b3cd886593afb544157b0ec6fa2681ac4e63fbc3edfb6c870b224969fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6C5B.tmp

Filesize
1KB

MD5
c5b8976307611ac9bb6bda725df3a40a

SHA1
ff734bbac606dfdc35d3fa2cbddd4fa2ece8a083

SHA256
9ff83de4be5676cb12c32dd9b2f4e3151e898e02d25b5949bac2204db5cbded0

SHA512
c91f83837d15a1765b1b8769ab05f5ad9e5b203d9b3416b48b73b1e36e642ae6d4f6419b2097e8a8ed98b1c3fe4037443f28bf7adea5a82a13f50f40f32250bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B01.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\arngu2k_.dll

Filesize
9KB

MD5
fe4c09ff933b9fb87a62b5f13f870f03

SHA1
a86f5b247d912c3abfaf95dd7e8e8cb75123f3ef

SHA256
8d0bae9ba19680cecc05579ef89f69e0f4b0a064e3f5b0569b1221bc2afa2d23

SHA512
b9c5aea2e84582342319a672dd34276a3f67d7577f92bc712d96700a477efa69d805b5e4ba3a109c124bc456c670150ecf09363d47808c80e2d7b59d1d152a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\iklxudqw.dll

Filesize
10KB

MD5
5cea4f3cf60b395e9f1c813501fa657d

SHA1
8f4194e6324dcfed8977c261a25d3d7a198cdce3

SHA256
eb87ddaae2a021a5febb3ffcc461c8d914fa59122fe5a275b3e943ade97f8462

SHA512
52b692dc3db42cf6e586d2c48807442a9a72b5e220a57e18bb7988ea177b3a10be7f9dc2a809ea944183a9503a4c55bc2d4feb47427d65173f24182b5c4b8960

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnk1ul3o.dll

Filesize
8KB

MD5
6a032819dea06007aac0de811cfb9d7a

SHA1
5097c1d447f6c4158df404fed2af745e46127e12

SHA256
ef047670b98649dfe568794b9f346b5d7c6ca583a451cbcd22162519ade7ad4d

SHA512
61815fd1569a5d19da27e5c5e5f66f0078af2d81f9fcdf7dc75164eb9b173effdafac6830917a6565c359e92a9a63846a8f89128df490471be7177d0b770b451

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC60D5.tmp

Filesize
652B

MD5
433c40dfa7c47a8e59d3664ed6c1625f

SHA1
01d9afc785737a20bf94ac89d65fefe65f636d3f

SHA256
df17de65de9f0abe37d9b9bfc0e55640159b47e9531f5676ef0d6ad00cc11bca

SHA512
804096a778f3c6eb6cbd2bc50ed7b341311fd62b7b699744be311bcd43a9f99101cfbacb98ad53fbf9c9beab7359ce3994c674dfdfed61b6a794622b59d96ef1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC61CF.tmp

Filesize
700B

MD5
d8995799ff5261a72223f90c9252854a

SHA1
534b6bd6e46703ddde58d3cb2888284b7fafd527

SHA256
55b2f7b1186e3197cbb1ece5a4a371c7306d60914ad1052674770c6575b3ce1f

SHA512
ea57c8148cf7e3f4b43ddb6c798354fc6aa84098586e8889864d1f02b75bcb7eb65fe778f4f8b0609f9fec0401f1e35405694fea73842704c716f319288d17c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6C4A.tmp

Filesize
652B

MD5
34d0b47cfe25dfbbca73cff7214ffbc8

SHA1
76fd97dd8728d2db48e98b68c241bab47e4a7e23

SHA256
6d03de85376f87c14aefede23405f152d0448687a48c704edd756abe2e45c57e

SHA512
32be7cd9290e87f1ae15a0fb10f254f8fcce038fdad8be6cecbffa102a374820428b9c70460656bfc80b632a67f07b2621a58647fdc45d4bb3063c8f484faede

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arngu2k_.0.cs

Filesize
18KB

MD5
528eee3560dbb40a85ab9b41c6aa9837

SHA1
9b5ff4b92de20e84aa1c407731d0d87025e5dc44

SHA256
a6383ad80f759d105c9f4d9e0d024d8331371c58db63f2beeb7eaf87d1f0e433

SHA512
594710420a7900b1a1e32106d07d23ae26b0d1b756354a6d5af0af5aa5df7dc32562bd9bc24bb7e938949a9accd5248a1038cd532a9af22118aaf5333a50a4b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arngu2k_.cmdline

Filesize
401B

MD5
0b6f0d8e7196bc820c7f0e3c79d187fa

SHA1
01709b6bfc9170ca59106b6ac731432902ae1f77

SHA256
58a0c64e2c580126d5452cbc85f5a398e4bdcb454347781da6cb34d394579238

SHA512
fb124e732346692b1d66d99f03c432dc1795ac39afaea69005747491b08ca9b2848c6117651e8f04b989100cb99a34150ad5caa3e2b022370563f4f32f574880

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iklxudqw.0.cs

Filesize
16KB

MD5
2acd8c6a61b4e380150e9279d971f493

SHA1
40960648651593045fda00cfbe3de316e0a43e42

SHA256
e4a02f3367b91e9d001f2b69faf923ea4cacd68232b675df782a1221af7d0395

SHA512
cd600e638fa0f2f6d90ea0562f8fb89da8517c50eccfc1fa0c75d93ea1dc61f8eeea3f9bad952e6894beb0fc0cd903b56ff9b52150ff1a181bacbf5e23ee957e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iklxudqw.cmdline

Filesize
401B

MD5
c39bda65f74810eba35aee688dafe77c

SHA1
59e8d1a8e603a4e56b9982d3dd5817b90703d1b4

SHA256
2a8600feada29b667e1904d3c00fa52e380151729605ac7a107a59f6e021dc5a

SHA512
4dcd10e1f0b0cad7f81376cbb563bab4e7f468f8c1c7923ce2b0d74243a6282a3cb9328b50c3a848913f6564a960b411eb375152b82fa5d6e0021577bd3c7ba0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnk1ul3o.0.cs

Filesize
11KB

MD5
529769583c8f35aaf52e20a7f520f0b5

SHA1
e66056ce1c9ce0531006178e5529cf5b6f8e3499

SHA256
20c939fce90096f57b1936c35edb703461d4063629c3f84b6c35522e0be692e4

SHA512
128456ee9e3dc5c33d97fb1c2d2ea58a7aa6bb600ec3e20abf63155b343b396cbc3c7c9ed678d148e43609550102fc11e65c2beaf62ba31ba2e93f9a72993844

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnk1ul3o.cmdline

Filesize
401B

MD5
951261a4758348660d0a1b15125beee0

SHA1
6ad7d67d9b4f9d276a1377e241ef7765fe96a2a2

SHA256
93f12fb72be6c71e2c6b0bf72fcd099a661ed668e9546203ed2bdf93374c8108

SHA512
26491b0181ae6854b3b7609fdc6fe371ca52a3ec6b2d8f68690156d9770d1156e666a68916861cbb6171ac9730ec3a39409894df6ad62a9fb57fbd9e4843e06d

Download Submit
memory/744-228-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/744-108-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/2088-172-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2088-189-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-231-0x0000000006680000-0x0000000006780000-memory.dmp

Filesize
1024KB

Download
memory/2088-173-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2088-174-0x0000000006680000-0x0000000006780000-memory.dmp

Filesize
1024KB

Download
memory/2088-3-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2088-188-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-2-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-190-0x0000000006680000-0x0000000006780000-memory.dmp

Filesize
1024KB

Download
memory/2088-227-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2088-0-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-229-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2088-230-0x0000000006680000-0x0000000006780000-memory.dmp

Filesize
1024KB

Download
memory/2900-94-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download