Malware Analysis Report

2024-11-13 13:24

Sample ID 240604-m6w55see87
Target CarambaSwitcher.2023.08.15.exe
SHA256 58fe5ccd03066294ac07a4f4d7583158e4a139687e539ea0abe0ec7c84e4736e
Tags
risepro discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58fe5ccd03066294ac07a4f4d7583158e4a139687e539ea0abe0ec7c84e4736e

Threat Level: Known bad

The file CarambaSwitcher.2023.08.15.exe was found to be: Known bad.

Malicious Activity Summary

risepro discovery persistence stealer

RisePro

Adds Run key to start application

Drops file in Program Files directory

Executes dropped EXE

Checks installed software on the system

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 11:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 11:05

Reported

2024-06-04 11:07

Platform

win10v2004-20240508-uk

Max time kernel

100s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"

Signatures

RisePro

stealer risepro

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CarambaSwitcher.exe = "\"C:\\Program Files (x86)\\Caramba\\Switcher\\CarambaSwitcher.exe\" " C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Caramba\Switcher\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A
File created C:\Program Files (x86)\Caramba\Switcher\is-4JMAM.tmp C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A
File created C:\Program Files (x86)\Caramba\Switcher\is-4ID5Q.tmp C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A
File created C:\Program Files (x86)\Caramba\Switcher\is-HC9NM.tmp C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A
File created C:\Program Files (x86)\Caramba\Switcher\is-B1K4C.tmp C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A
File created C:\Program Files (x86)\Caramba\Switcher\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A
File opened for modification C:\Program Files (x86)\Caramba\Switcher\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\LowLevelHooksTimeout = "3000" C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe N/A
N/A N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp
PID 2676 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp
PID 2676 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp
PID 4020 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp C:\Windows\SysWOW64\taskkill.exe
PID 4020 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp C:\Windows\SysWOW64\taskkill.exe
PID 4020 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp C:\Windows\SysWOW64\taskkill.exe
PID 4020 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe
PID 4020 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe
PID 4020 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe
PID 1456 wrote to memory of 3120 N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 3120 N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 2124 N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1456 wrote to memory of 2124 N/A C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe

"C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"

C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp" /SL5="$901C2,5063765,904192,C:\Users\Admin\AppData\Local\Temp\CarambaSwitcher.2023.08.15.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /f /im CarambaSwitcher.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8

C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe

"C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe" --install

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sciter.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4812,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5004,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5068,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=uk --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5592,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=uk --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6024,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5876,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://caramba-switcher.com/eula

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=uk --js-flags=--ms-user-locale=uk_UA --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6504,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=uk --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6732,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=uk --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6928,i,208337851633708626,5887062041918523690,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cdn.caramba-switcher.com udp
US 172.67.142.120:443 cdn.caramba-switcher.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 120.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 sciter.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 sciter.com udp
US 35.227.194.51:443 sciter.com tcp
US 35.227.194.51:443 sciter.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
SE 184.31.15.40:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 d1rozh26tys225.cloudfront.net udp
US 8.8.8.8:53 d1rozh26tys225.cloudfront.net udp
GB 3.162.19.186:443 d1rozh26tys225.cloudfront.net tcp
GB 3.162.19.186:443 d1rozh26tys225.cloudfront.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 51.194.227.35.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 186.19.162.3.in-addr.arpa udp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 sciter.com udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 caramba-switcher.com udp
US 8.8.8.8:53 caramba-switcher.com udp
US 8.8.8.8:53 caramba-switcher.com udp
RU 185.215.4.16:443 caramba-switcher.com tcp
RU 185.215.4.16:443 caramba-switcher.com tcp
US 8.8.8.8:53 ws.tildacdn.com udp
US 8.8.8.8:53 ws.tildacdn.com udp
US 8.8.8.8:53 static.tildacdn.com udp
US 8.8.8.8:53 static.tildacdn.com udp
US 8.8.8.8:53 neo.tildacdn.com udp
US 8.8.8.8:53 neo.tildacdn.com udp
NL 5.181.161.181:443 neo.tildacdn.com tcp
GB 93.123.11.62:443 static.tildacdn.com tcp
GB 93.123.11.62:443 static.tildacdn.com tcp
GB 93.123.11.62:443 static.tildacdn.com tcp
GB 93.123.11.62:443 static.tildacdn.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 16.4.215.185.in-addr.arpa udp
US 8.8.8.8:53 62.11.123.93.in-addr.arpa udp
US 8.8.8.8:53 181.161.181.5.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 stat.tildacdn.com udp
US 8.8.8.8:53 stat.tildacdn.com udp
GB 193.3.17.198:443 stat.tildacdn.com tcp
US 8.8.8.8:53 198.17.3.193.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.184:443 www.bing.com udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/2676-2-0x0000000000401000-0x00000000004B7000-memory.dmp

memory/2676-0-0x0000000000400000-0x00000000004EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DMT42.tmp\CarambaSwitcher.2023.08.15.tmp

MD5 eb88817d353017f10005d31fd5a7a817
SHA1 0ace73cb77cd73d5713bbf62a353d0485bc2314e
SHA256 8a3bdf9515f93d6c9193a3d6bc3a788288261686d2a6bf9da2f308a271fbf011
SHA512 79f9df34c611a7856379fbadadd011b58d76821d33a0dd9f94964d080fdea68be40d556245b07e17e04b5201cd9440db5fe7e9eb554a9d4fca6b4c0ed4602862

memory/4020-6-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Program Files (x86)\Caramba\Switcher\CarambaSwitcher.exe

MD5 f93d9f0acdabd1d85392b77b1ef5c4b0
SHA1 40848ea6649d1a3b0868cab7c00c2821da19031e
SHA256 cacbaab2b9ec1d1a3916629df67e22c5e829f602f6970bfa6138c9cf62190c48
SHA512 83d8aa6fe2402790cc873ce8a008df7187dde30ce1dd3afe78c2ac89be08f063ea42f9ab6eb5e1f6c8b52a2d8afd1821e24eb536f2d013217bd4178b7907254b

C:\Program Files (x86)\Caramba\Switcher\WinSparkle.dll

MD5 165dcd52e7e4bd2f8b21245703323f04
SHA1 25da757d2d106ad6defc8b2f761e060832044167
SHA256 c63e4728d0a898ca26fb7f29ca29931e81e857eef76c60ec6b13178c26efecf7
SHA512 6caa0ddfe7b6b168540eb382a97bd6524a01f0ba4f76315c152b370d17556e8dbc91f443de487998bc0adca26d80fd52658186125b4ed55043efb66a4088e259

memory/4020-40-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2676-41-0x0000000000400000-0x00000000004EA000-memory.dmp