Resubmissions
12/03/2024, 12:19
240312-phjk9age7z 612/03/2024, 12:16
240312-pfw4kage5s 312/03/2024, 12:15
240312-pe115aad82 3Analysis
-
max time kernel
415s -
max time network
312s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
12/03/2024, 12:19
General
-
Target
Cartis-Tweaker-V7.exe
-
Size
103KB
-
MD5
7f5ccc3c0ce7a1000e19f00ea0aff3a3
-
SHA1
72afe8e65be41c275c644da6257876d02b7e6e3e
-
SHA256
89a33759410c69ad66d98e787f4673272a9ac13c86e3552370a3fadc185c7209
-
SHA512
a1a7f6d82549c76d83095d8b10d7aecc41f6ac47fa46463a07813a9eda39c6c7b27f19ad546dac9cf4910fe5004d45bbb45066855e869b6f53318db76ac22b23
-
SSDEEP
1536:n7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfNwqPajmuSOo:77DhdC6kzWypvaQ0FxyNTBfNNPhua
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4978.tmp\4979.tmp\497A.bat C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con: cols=1553⤵
-
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵
-
-
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\mode.commode con cols=1923⤵
-
-
C:\Windows\system32\mode.commode con lines=453⤵
-
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\message.vbs3⤵
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3852399462-405385529-394778097-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3852399462-405385529-394778097-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2712 2696 816 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2672 2668 816 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\70DD.tmp\70DE.tmp\70DF.bat C:\Users\Admin\AppData\Local\Temp\Cartis-Tweaker-V7.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con: cols=1553⤵
-
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵
-
-
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\mode.commode con cols=1923⤵
-
-
C:\Windows\system32\mode.commode con lines=453⤵
-
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\message.vbs3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD50c3a00da899e8955f22607eaa28d6289
SHA1acb0b64951d0fa8a0adf169efd578abe4ee7205c
SHA25696a62e3c175bd2c003ff0bc162030ae707ad81b8e899baf7401b734a30a68d4d
SHA51238b9bce5c2657c33cf8fa91bc40ab139d016dfb7a6336009b592d6e5074f78b5003fde64a90a076642ec5d1e6f4b78be5ee26d964667f589b559b802ba3147f3
-
Filesize
122B
MD5b8904b2fe2b46f5af90cb6521892e34e
SHA1bf200daf548f3ec60bfac0e435174c9606cefaac
SHA256ba2bb863679cd17e175e4fe87603c8512859d927636fd85b4fe948018a751dfe
SHA512742c7f8d1c778e17294d2384f11f87f2956f89fec375263cc379d8cae1583e5b8e81ad59190011320e3b4bb466f7513d57846a257d45946e1c3bb7f094318c57
-
Filesize
202B
MD5dd0c1d22223d8d0e4e271a25a6576eb5
SHA124db1209d718bd8eb443da6eec2ee28d39aaecd8
SHA256c5b636a315f8af0aac9068a2517dbb1fe136a77b9baefd12af102e65b28a13e2
SHA512fe7568b22218c10b268c115f2209ffa8282777e354a9ce0980857879c0364f005fb6af69627e95286a8229191d34e97479498986c657c6d4a394e54731653195
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB