Analysis
-
max time kernel
100s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240508-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
04-06-2024 11:05
Static task
static1
Behavioral task
behavioral1
Sample
CarambaSwitcher.2023.08.15.exe
Resource
win10v2004-20240508-uk
General
-
Target
CarambaSwitcher.2023.08.15.exe
-
Size
5.7MB
-
MD5
1f4ae7d0a77c2dbf9d830fc5b588978c
-
SHA1
fb0281346c01ec79973ab42f39f1f7d84f9f0139
-
SHA256
58fe5ccd03066294ac07a4f4d7583158e4a139687e539ea0abe0ec7c84e4736e
-
SHA512
bfc02c6fc2b1d02eca8a17569a8acb86e2a605c5113e84644fef5668d05d3e287c72df130dc2be1188ac49d97ea2aa32b6f0f4b6db8415779f1e3b90631a6583
-
SSDEEP
98304:OSirFCHjrFSjDRWRbvaXIKLqXmQk4N2tV2Ta45ONtVcv8Fl+DasMqGXC:EosAhql/QkHthhfbl+WXqYC
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CarambaSwitcher.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CarambaSwitcher.exe = "\"C:\\Program Files (x86)\\Caramba\\Switcher\\CarambaSwitcher.exe\" " CarambaSwitcher.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 7 IoCs
Processes:
CarambaSwitcher.2023.08.15.tmpdescription ioc process File created C:\Program Files (x86)\Caramba\Switcher\unins000.dat CarambaSwitcher.2023.08.15.tmp File created C:\Program Files (x86)\Caramba\Switcher\is-4JMAM.tmp CarambaSwitcher.2023.08.15.tmp File created C:\Program Files (x86)\Caramba\Switcher\is-4ID5Q.tmp CarambaSwitcher.2023.08.15.tmp File created C:\Program Files (x86)\Caramba\Switcher\is-HC9NM.tmp CarambaSwitcher.2023.08.15.tmp File created C:\Program Files (x86)\Caramba\Switcher\is-B1K4C.tmp CarambaSwitcher.2023.08.15.tmp File created C:\Program Files (x86)\Caramba\Switcher\unins000.msg CarambaSwitcher.2023.08.15.tmp File opened for modification C:\Program Files (x86)\Caramba\Switcher\unins000.dat CarambaSwitcher.2023.08.15.tmp -
Executes dropped EXE 2 IoCs
Processes:
CarambaSwitcher.2023.08.15.tmpCarambaSwitcher.exepid process 4020 CarambaSwitcher.2023.08.15.tmp 1456 CarambaSwitcher.exe -
Loads dropped DLL 1 IoCs
Processes:
CarambaSwitcher.exepid process 1456 CarambaSwitcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4644 taskkill.exe -
Modifies Control Panel 1 IoCs
Processes:
CarambaSwitcher.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\LowLevelHooksTimeout = "3000" CarambaSwitcher.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4644 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
CarambaSwitcher.2023.08.15.tmpCarambaSwitcher.exepid process 4020 CarambaSwitcher.2023.08.15.tmp 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
CarambaSwitcher.exepid process 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
CarambaSwitcher.exepid process 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe 1456 CarambaSwitcher.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
CarambaSwitcher.2023.08.15.exeCarambaSwitcher.2023.08.15.tmpCarambaSwitcher.exedescription pid process target process PID 2676 wrote to memory of 4020 2676 CarambaSwitcher.2023.08.15.exe CarambaSwitcher.2023.08.15.tmp PID 2676 wrote to memory of 4020 2676 CarambaSwitcher.2023.08.15.exe CarambaSwitcher.2023.08.15.tmp PID 2676 wrote to memory of 4020 2676 CarambaSwitcher.2023.08.15.exe CarambaSwitcher.2023.08.15.tmp PID 4020 wrote to memory of 4644 4020 CarambaSwitcher.2023.08.15.tmp taskkill.exe PID 4020 wrote to memory of 4644 4020 CarambaSwitcher.2023.08.15.tmp taskkill.exe PID 4020 wrote to memory of 4644 4020 CarambaSwitcher.2023.08.15.tmp taskkill.exe PID 4020 wrote to memory of 1456 4020 CarambaSwitcher.2023.08.15.tmp CarambaSwitcher.exe PID 4020 wrote to memory of 1456 4020 CarambaSwitcher.2023.08.15.tmp CarambaSwitcher.exe PID 4020 wrote to memory of 1456 4020 CarambaSwitcher.2023.08.15.tmp CarambaSwitcher.exe PID 1456 wrote to memory of 3120 1456 CarambaSwitcher.exe msedge.exe PID 1456 wrote to memory of 3120 1456 CarambaSwitcher.exe msedge.exe PID 1456 wrote to memory of 2124 1456 CarambaSwitcher.exe msedge.exe PID 1456 wrote to memory of 2124 1456 CarambaSwitcher.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp"C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp" /SL5="$901C2,5063765,904192,C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im CarambaSwitcher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4644 -
C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe"C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe" --install3⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sciter.com/4⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://caramba-switcher.com/eula4⤵PID:2124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:81⤵PID:3504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4812,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:11⤵PID:436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5004,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:11⤵PID:3516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5068,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:11⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=uk --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5592,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:81⤵PID:2568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=uk --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6024,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:81⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5876,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:11⤵PID:3572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6504,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:11⤵PID:4988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=uk --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6732,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:81⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=uk --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6928,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:81⤵PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.6MB
MD5f93d9f0acdabd1d85392b77b1ef5c4b0
SHA140848ea6649d1a3b0868cab7c00c2821da19031e
SHA256cacbaab2b9ec1d1a3916629df67e22c5e829f602f6970bfa6138c9cf62190c48
SHA51283d8aa6fe2402790cc873ce8a008df7187dde30ce1dd3afe78c2ac89be08f063ea42f9ab6eb5e1f6c8b52a2d8afd1821e24eb536f2d013217bd4178b7907254b
-
Filesize
2.1MB
MD5165dcd52e7e4bd2f8b21245703323f04
SHA125da757d2d106ad6defc8b2f761e060832044167
SHA256c63e4728d0a898ca26fb7f29ca29931e81e857eef76c60ec6b13178c26efecf7
SHA5126caa0ddfe7b6b168540eb382a97bd6524a01f0ba4f76315c152b370d17556e8dbc91f443de487998bc0adca26d80fd52658186125b4ed55043efb66a4088e259
-
Filesize
3.1MB
MD5eb88817d353017f10005d31fd5a7a817
SHA10ace73cb77cd73d5713bbf62a353d0485bc2314e
SHA2568a3bdf9515f93d6c9193a3d6bc3a788288261686d2a6bf9da2f308a271fbf011
SHA51279f9df34c611a7856379fbadadd011b58d76821d33a0dd9f94964d080fdea68be40d556245b07e17e04b5201cd9440db5fe7e9eb554a9d4fca6b4c0ed4602862