Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 23:09

General

  • Target

    $TEMP/TemporaryComodoProduct/CBU.exe

  • Size

    11.6MB

  • MD5

    2c6d19e7d5f91b5ef322df2f30e6ad53

  • SHA1

    2acd52bbe67614ea784899e9a96898bb2d5908ff

  • SHA256

    442f3b1a6a282dedaf4e39de36af4bcce2c0b0c145d8895c7f236bc8576c84b6

  • SHA512

    d5db241a31693128199bbe588c9091c503c81b55bfdf5cb380a83f4a00a783aff3cbca25e03d3f1763f057b6f056c805d0ee093c6022baf08584f5ee3c85ec6f

  • SSDEEP

    98304:GN8nfosYu8Ok2ZPtHGuVGSjk3pH9NOi/59xF:GN8nf9udSelKinxF

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Network Service Discovery 1 TTPs 8 IoCs

    Attempt to gather information on host's network.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\TemporaryComodoProduct\CBU.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\TemporaryComodoProduct\CBU.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:1328
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:3692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt
      2⤵
      • Network Service Discovery
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\ARP.EXE
        arp -a
        3⤵
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        PID:3564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 4472
      2⤵
      • Program crash
      PID:220
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
    1⤵
      PID:1656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1772 -ip 1772
      1⤵
        PID:1700

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ComodoLogsFolder\CBU.exe.log

        Filesize

        5KB

        MD5

        89d71667f70d0e8a848ba0952fa6b6aa

        SHA1

        5e0ed710b095ad94a6a89e31dd2c81d4854d784b

        SHA256

        d6a16ea912a1332fd13447c8f3ce8d3d29e940cb5d17540677b04143a65e5a8a

        SHA512

        8262b2faaa62db02b0117494018dd8e5a90e1db69a6d6aa3db0a30baf024a517c6598177a9bac55ab1126467fe6609abeb4824e6647c9f6dd5f028d5dc1d89aa

      • C:\Users\Admin\AppData\Local\Temp\ComodoLogsFolder\CBU.exe.log

        Filesize

        1KB

        MD5

        bdeb401e003a08dafe1631a3bd1eea67

        SHA1

        82e8c20d4f93b27a218f36c6401ea628346e712c

        SHA256

        2da340b7799ae8a69f16ce4208a7fcae3cdd858eb2027f616ce51cae57384a19

        SHA512

        26eea021e2e3471850123b5d8b3a7657ac96c540976314706ed11e6744a3072767b927c9e91644dfb593a96d860b40ab6a188daa66824cf1562545a7b1bf0711

      • C:\Users\Admin\AppData\Local\Temp\Network.lnk

        Filesize

        104B

        MD5

        7d5931d6d33c2e264d05d1850be2a39f

        SHA1

        6708d90cd7368d355c101ab1f5903b79eccc3c4a

        SHA256

        2afcca818a534e4f75cf61dc5552400d75406e11830aa7a8a5fd841fe571a723

        SHA512

        83a5de9562b1a9212d20f310f93a23c4e75ea764dcd634af04e8e114e2ff783993ad079aca2e4ee4676cd013c06f3657a9f6a54b7dd72a30836c4fc8e8f91628

      • C:\Users\Admin\AppData\Local\Temp\iplist.txt

        Filesize

        550B

        MD5

        47e850c581418dbb7f4977b810746353

        SHA1

        f5603bc3d5fe0d0c7bac598430e244d442aa2e3d

        SHA256

        4bd1621b1e686de1ec98490fab817d59cb363409fa4e660ae574800f4e77c778

        SHA512

        5d8dfc33acce1d123d989c6cbedd5679196cdd66ac18a5137ee1d22e062f7caf18f57aa9eaddf226df66a086125d0531aca6a52a1776879cc2de32d832e15a83