Overview
overview
10Static
static
10ae1c457e49...10.exe
windows7-x64
10ae1c457e49...10.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...S3.dll
windows7-x64
3$PLUGINSDI...S3.dll
windows10-2004-x64
3$PLUGINSDI...T3.dll
windows7-x64
3$PLUGINSDI...T3.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ce.dll
windows7-x64
3$PLUGINSDI...ce.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/Temp...BU.exe
windows7-x64
6$TEMP/Temp...BU.exe
windows10-2004-x64
7$TEMP/Temp...ce.exe
windows7-x64
3$TEMP/Temp...ce.exe
windows10-2004-x64
3$TEMP/Temp...SE.exe
windows7-x64
3$TEMP/Temp...SE.exe
windows10-2004-x64
3$TEMP/Temp...ng.dll
windows7-x64
1$TEMP/Temp...ng.dll
windows10-2004-x64
1$TEMP/Temp...HI.dll
windows7-x64
1$TEMP/Temp...HI.dll
windows10-2004-x64
1$TEMP/Temp...ZE.dll
windows7-x64
1$TEMP/Temp...ZE.dll
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 23:09
Behavioral task
behavioral1
Sample
ae1c457e4968758551c0e99ce62cb87c02b6c134afda6d1d700da3b37a2d7610.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ae1c457e4968758551c0e99ce62cb87c02b6c134afda6d1d700da3b37a2d7610.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/MyLangDLLS3.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/MyLangDLLS3.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/MyLangDLLT3.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/MyLangDLLT3.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSIS_SkinCrafter_Plugin.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSIS_SkinCrafter_Plugin.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Plugin.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Plugin.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/cService.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/cService.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
$TEMP/TemporaryComodoProduct/CBU.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
$TEMP/TemporaryComodoProduct/CBU.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
$TEMP/TemporaryComodoProduct/COSService.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
$TEMP/TemporaryComodoProduct/COSService.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
$TEMP/TemporaryComodoProduct/CSE.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
$TEMP/TemporaryComodoProduct/CSE.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
$TEMP/TemporaryComodoProduct/GUIlang.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
$TEMP/TemporaryComodoProduct/GUIlang.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CHI.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CHI.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CZE.dll
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CZE.dll
Resource
win10v2004-20240709-en
General
-
Target
$TEMP/TemporaryComodoProduct/CBU.exe
-
Size
11.6MB
-
MD5
2c6d19e7d5f91b5ef322df2f30e6ad53
-
SHA1
2acd52bbe67614ea784899e9a96898bb2d5908ff
-
SHA256
442f3b1a6a282dedaf4e39de36af4bcce2c0b0c145d8895c7f236bc8576c84b6
-
SHA512
d5db241a31693128199bbe588c9091c503c81b55bfdf5cb380a83f4a00a783aff3cbca25e03d3f1763f057b6f056c805d0ee093c6022baf08584f5ee3c85ec6f
-
SSDEEP
98304:GN8nfosYu8Ok2ZPtHGuVGSjk3pH9NOi/59xF:GN8nf9udSelKinxF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation CBU.exe -
pid Process 2220 ARP.EXE 4244 cmd.exe 1328 ARP.EXE 3112 cmd.exe 3692 ARP.EXE 1184 cmd.exe 3564 ARP.EXE 2880 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 220 1772 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CBU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F1C8520-4C89-4688-8560-5839AAB4D46B} CBU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F1C8520-4C89-4688-8560-5839AAB4D46B}\UserID = "8FCCEF09C2AD4436A61F97E8E6187877" CBU.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings CBU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1772 CBU.exe 1772 CBU.exe 1772 CBU.exe 1772 CBU.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2880 1772 CBU.exe 86 PID 1772 wrote to memory of 2880 1772 CBU.exe 86 PID 1772 wrote to memory of 2880 1772 CBU.exe 86 PID 2880 wrote to memory of 2220 2880 cmd.exe 88 PID 2880 wrote to memory of 2220 2880 cmd.exe 88 PID 2880 wrote to memory of 2220 2880 cmd.exe 88 PID 1772 wrote to memory of 4244 1772 CBU.exe 89 PID 1772 wrote to memory of 4244 1772 CBU.exe 89 PID 1772 wrote to memory of 4244 1772 CBU.exe 89 PID 4244 wrote to memory of 1328 4244 cmd.exe 91 PID 4244 wrote to memory of 1328 4244 cmd.exe 91 PID 4244 wrote to memory of 1328 4244 cmd.exe 91 PID 1772 wrote to memory of 3112 1772 CBU.exe 93 PID 1772 wrote to memory of 3112 1772 CBU.exe 93 PID 1772 wrote to memory of 3112 1772 CBU.exe 93 PID 3112 wrote to memory of 3692 3112 cmd.exe 95 PID 3112 wrote to memory of 3692 3112 cmd.exe 95 PID 3112 wrote to memory of 3692 3112 cmd.exe 95 PID 1772 wrote to memory of 1184 1772 CBU.exe 100 PID 1772 wrote to memory of 1184 1772 CBU.exe 100 PID 1772 wrote to memory of 1184 1772 CBU.exe 100 PID 1184 wrote to memory of 3564 1184 cmd.exe 103 PID 1184 wrote to memory of 3564 1184 cmd.exe 103 PID 1184 wrote to memory of 3564 1184 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\TemporaryComodoProduct\CBU.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\TemporaryComodoProduct\CBU.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 44722⤵
- Program crash
PID:220
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:1656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1772 -ip 17721⤵PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD589d71667f70d0e8a848ba0952fa6b6aa
SHA15e0ed710b095ad94a6a89e31dd2c81d4854d784b
SHA256d6a16ea912a1332fd13447c8f3ce8d3d29e940cb5d17540677b04143a65e5a8a
SHA5128262b2faaa62db02b0117494018dd8e5a90e1db69a6d6aa3db0a30baf024a517c6598177a9bac55ab1126467fe6609abeb4824e6647c9f6dd5f028d5dc1d89aa
-
Filesize
1KB
MD5bdeb401e003a08dafe1631a3bd1eea67
SHA182e8c20d4f93b27a218f36c6401ea628346e712c
SHA2562da340b7799ae8a69f16ce4208a7fcae3cdd858eb2027f616ce51cae57384a19
SHA51226eea021e2e3471850123b5d8b3a7657ac96c540976314706ed11e6744a3072767b927c9e91644dfb593a96d860b40ab6a188daa66824cf1562545a7b1bf0711
-
Filesize
104B
MD57d5931d6d33c2e264d05d1850be2a39f
SHA16708d90cd7368d355c101ab1f5903b79eccc3c4a
SHA2562afcca818a534e4f75cf61dc5552400d75406e11830aa7a8a5fd841fe571a723
SHA51283a5de9562b1a9212d20f310f93a23c4e75ea764dcd634af04e8e114e2ff783993ad079aca2e4ee4676cd013c06f3657a9f6a54b7dd72a30836c4fc8e8f91628
-
Filesize
550B
MD547e850c581418dbb7f4977b810746353
SHA1f5603bc3d5fe0d0c7bac598430e244d442aa2e3d
SHA2564bd1621b1e686de1ec98490fab817d59cb363409fa4e660ae574800f4e77c778
SHA5125d8dfc33acce1d123d989c6cbedd5679196cdd66ac18a5137ee1d22e062f7caf18f57aa9eaddf226df66a086125d0531aca6a52a1776879cc2de32d832e15a83