5341b3921b75549adbe59365517c30bd045e63162728d9ba48f79832fea1bea0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Connectify.exe
Size

1.3MB
MD5

b05b39eaf75a2bf3b7a48de21ec53bf2
SHA1

246859e734f9bef2af407ff68edb0083db8cb6d8
SHA256

dfa9801d4bd605daeca0c170b27a5ca9fe6a062db7dd14390b59a5facd15e1dd
SHA512

c16c076890eef5e7217e3493513cd707c5a98ef6a18aa950212ba428a1fa4a9b85f336d1e9bf98540dff11286fc3cc9b22eca25ec8740aeaf8ac68d0f1c2b837
SSDEEP

12288:G6hgH2p/dQmKaUQKaUDpFwYBzKgKfLu/GwKaUd:G6hgS/CmjLjWpGYJKgaLuHjk

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

Processes:

Connectify.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	Connectify.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Connectify.exe

Drops file in Windows directory 3 IoCs

Processes:

Connectify.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	Connectify.exe
File created	C:\Windows\assembly\Desktop.ini	Connectify.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Connectify.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Connectify.exe

description pid process

Token: SeDebugPrivilege 1996 Connectify.exe

description	pid	process
Token: SeDebugPrivilege	1996	Connectify.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

Connectify.exe

pid	process
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

Connectify.exe

pid	process
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe
1996	Connectify.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Connectify.exe

pid process

1996 Connectify.exe
1996 Connectify.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Connectify.execsc.execsc.execsc.exe

description	pid	process	target process
PID 1996 wrote to memory of 2860	1996	Connectify.exe	csc.exe
PID 1996 wrote to memory of 2860	1996	Connectify.exe	csc.exe
PID 1996 wrote to memory of 2860	1996	Connectify.exe	csc.exe
PID 2860 wrote to memory of 1632	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 1632	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 1632	2860	csc.exe	cvtres.exe
PID 1996 wrote to memory of 4384	1996	Connectify.exe	csc.exe
PID 1996 wrote to memory of 4384	1996	Connectify.exe	csc.exe
PID 1996 wrote to memory of 4384	1996	Connectify.exe	csc.exe
PID 4384 wrote to memory of 5044	4384	csc.exe	cvtres.exe
PID 4384 wrote to memory of 5044	4384	csc.exe	cvtres.exe
PID 4384 wrote to memory of 5044	4384	csc.exe	cvtres.exe
PID 1996 wrote to memory of 4836	1996	Connectify.exe	csc.exe
PID 1996 wrote to memory of 4836	1996	Connectify.exe	csc.exe
PID 1996 wrote to memory of 4836	1996	Connectify.exe	csc.exe
PID 4836 wrote to memory of 4756	4836	csc.exe	cvtres.exe
PID 4836 wrote to memory of 4756	4836	csc.exe	cvtres.exe
PID 4836 wrote to memory of 4756	4836	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\Connectify.exe
"C:\Users\Admin\AppData\Local\Temp\Connectify.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bcbq4rhc.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50C0.tmp"
3⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kw0mptn9.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES517C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC517B.tmp"
3⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izdwxuka.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5610.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC560F.tmp"
3⤵
PID:4756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES50C1.tmp

Filesize
1KB

MD5
7fd88c80fd72ba0f3ca23e4f5284718f

SHA1
72f77581cc9c66015eda47b812935dd972b51a0d

SHA256
d8a413f4b7f945ac1203e4a50cdbb0b682d3c1afe7229e30b7364e7f57648fdf

SHA512
050eafe562823680158b2db7919738bffe3fb5df53fd826eb36dca813c2159d7ab5689c503cca08be433a0ad434fd140175c9c4df3b7661f7f5fca7eae0c3500

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES517C.tmp

Filesize
1KB

MD5
d8372969014d8b7c8dd8b074fff88fb3

SHA1
99da2428ae16f49602fbf37fbd33683caab37007

SHA256
1fbdd91b9f9f503cf3d0b3b6a1f8600b9a4f218211cf9371955133a4f7c3eeb2

SHA512
43ca99879e6d839bb0dfa2c2baec97c8c4ff5c4da1420fe6b481c772c194b1ff500e4f711acbbf805bd23378388daead80843c792ec312327e78427a6ac58a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5610.tmp

Filesize
1KB

MD5
8dddcaf747a8ed3babd701713631552c

SHA1
a57fc3265744c2a1fbd890e61d6307b3978f815d

SHA256
01460aad5c2cb7ebefef63cbd7fb992931787138421ea50a2a10b48d96a6242d

SHA512
4821c8cb7346067d63fd9a0ca663f1378c02d38b4b865c120b94c1a5de2e85acbdccb728eb30e9aad0e500368e7e7c63534555198a618a76e9480c5eb76229e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcbq4rhc.dll

Filesize
10KB

MD5
89e007710f6db1009ac8bd3b737e5fa8

SHA1
1649927c3896de4408d7250a61006c0e2efbfbd3

SHA256
84f012c1e5db7611ab759c9028b29f3490cfca6aad460c621b86d9ef8c0bbf55

SHA512
7df1ea4a2c7a2cb8e1a719baf8c237943cccc3b5e313c19140e9823c883f87bfbfea68062f4982700d7f3405be693ada20997724f2a638e3f0b7235d55274fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\izdwxuka.dll

Filesize
9KB

MD5
505c330ad7cb9d496d2a994f3249199d

SHA1
e99327c900a14b7b93e4e7003bcfab9869f5741b

SHA256
c26936766918377be4d43cef285352d93c16bd07d7a2696ddec49308602c6d53

SHA512
93701405a1d78f1c545a01e614f998fc3b8836ccbfcb8f4287b6250f78655178a873eefbdd8c7c9e86fa5adc4c3f58ee2b7bd834523612d47b20caa34c2529c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kw0mptn9.dll

Filesize
8KB

MD5
9c8fe1009d62efe3a26d046d3247220f

SHA1
b638997d5acbd4e4122f1df528950cf8a7d174c7

SHA256
fa17ccbb32175789cc695b3f239f9b0affb86193dc2cf32fe3588564b654b83d

SHA512
77caa433fec52cbbcea33f11b0cdd256cf932a5617a20a5302381b037c74fde268d56cb34819009a701635c60e23bd63bce837863f6e3e152ae1d32b3c30d27a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC50C0.tmp

Filesize
652B

MD5
bcdbf0b805bdb77f33642cf0a54b0df8

SHA1
826d3fb0843025e1cc1909cbc00ed93906816b80

SHA256
cc65c69635d5e456afacec43231cc71070df03cfd5e4fef4a85efd42d82b2758

SHA512
c1f427a6ec4d29c7d63d24b2825e17c8af405ab18ff07175e88669d729df73d0656bfa98d32eda6056b0ad66a79b65162ccbf21d960cbb6d6633aafe47bbdca2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC517B.tmp

Filesize
700B

MD5
22875d90690a14cbe136ff4881b40d56

SHA1
a1302f855f4f3758c37026c545e472242de3aacc

SHA256
a3dd56cf8a1cba0272f8dc37b2cdc0ee0f9d9890c87b59c70ab126d4a42b7d99

SHA512
b57444b603094dcdbb777337c8e26d86e8e72f96b80dc06314d069508d9824fcaddb4001d1ab47302104c31864cdb5936572d8a77a3206777be5345ace615eb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC560F.tmp

Filesize
652B

MD5
d69e3bd86638b61875e10bf2a0ec9706

SHA1
ab55c1c1160ca1b455ebcefa7acc1a1c866667f6

SHA256
4fe27464c400aca181ef082c3bf63e32acddeb592a7972eba0197cb7120b5e6e

SHA512
7d6dabf08133bf749146083ed9dd828c9a8a08568519f0d9a259fce0846ece94c9f054dd23d400881cb67c59611b0c76fefd96808d85bbd14397259887bd8a92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bcbq4rhc.0.cs

Filesize
16KB

MD5
2acd8c6a61b4e380150e9279d971f493

SHA1
40960648651593045fda00cfbe3de316e0a43e42

SHA256
e4a02f3367b91e9d001f2b69faf923ea4cacd68232b675df782a1221af7d0395

SHA512
cd600e638fa0f2f6d90ea0562f8fb89da8517c50eccfc1fa0c75d93ea1dc61f8eeea3f9bad952e6894beb0fc0cd903b56ff9b52150ff1a181bacbf5e23ee957e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bcbq4rhc.cmdline

Filesize
401B

MD5
5835e584c24b6085c61b6131185fcf61

SHA1
53abf2f1404e06d8316d6173b59a9a64c4e82114

SHA256
65fff7411c56ea4e2433637c178f38c0afd9bd255a4df4a99d68a985a85ceaf2

SHA512
417325981d9f9442e28e0faa7755050a8570e28a8e76a7cc6cb8be2c1377562809bc31f23fa7dfc900ef8218c27701cd134a0f7efd82ee93bbf9df9440625ada

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\izdwxuka.0.cs

Filesize
18KB

MD5
528eee3560dbb40a85ab9b41c6aa9837

SHA1
9b5ff4b92de20e84aa1c407731d0d87025e5dc44

SHA256
a6383ad80f759d105c9f4d9e0d024d8331371c58db63f2beeb7eaf87d1f0e433

SHA512
594710420a7900b1a1e32106d07d23ae26b0d1b756354a6d5af0af5aa5df7dc32562bd9bc24bb7e938949a9accd5248a1038cd532a9af22118aaf5333a50a4b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\izdwxuka.cmdline

Filesize
401B

MD5
58c911d60d32357fe0083fa5d463e567

SHA1
c23649f7d458d9c3b3a26f229763246fa55cfc08

SHA256
98fedab7a635a4859cc9f1febac388a29755edf941581cf6b2cb46d14668c7af

SHA512
ac3eadd4499af820a88522756db2b1d43bd78bd73302d51c4090179e5b3f2369f7dc578f0a65491549fa0832920c30b2de5db91ff69e8a6ec076413cbf35358f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kw0mptn9.0.cs

Filesize
11KB

MD5
529769583c8f35aaf52e20a7f520f0b5

SHA1
e66056ce1c9ce0531006178e5529cf5b6f8e3499

SHA256
20c939fce90096f57b1936c35edb703461d4063629c3f84b6c35522e0be692e4

SHA512
128456ee9e3dc5c33d97fb1c2d2ea58a7aa6bb600ec3e20abf63155b343b396cbc3c7c9ed678d148e43609550102fc11e65c2beaf62ba31ba2e93f9a72993844

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kw0mptn9.cmdline

Filesize
401B

MD5
cd904f857dcfc13ab0beeee6d3283a35

SHA1
38f5092d99b4147d49d4a2c53ccd2b92e5058769

SHA256
f212792b2614c7d1bf52f97ddf2cee61d9b816213f4ab0cbe1819442a52663d1

SHA512
43018ccb678edd8ba6f6fe92df5ca203d2341713780afb08db4e4d05d872f80a152f2b794792a2facb8d7d47aa6d5c1be5541e14f61f02510b4502bd52388521

Download Submit
memory/1996-46-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-65-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-47-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-45-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-44-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-68-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-67-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-2-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-1-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-61-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-62-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-63-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-64-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/1996-0-0x00000000751F0000-0x00000000757A1000-memory.dmp

Filesize
5.7MB

Download
memory/1996-66-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/2860-20-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4384-34-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download