Overview
overview
10Static
static
10CB_setup.exe
windows7-x64
10CB_setup.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...S3.dll
windows7-x64
3$PLUGINSDI...S3.dll
windows10-2004-x64
3$PLUGINSDI...T3.dll
windows7-x64
3$PLUGINSDI...T3.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...in.dll
windows7-x64
3$PLUGINSDI...in.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ce.dll
windows7-x64
3$PLUGINSDI...ce.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/Temp...BU.exe
windows7-x64
6$TEMP/Temp...BU.exe
windows10-2004-x64
7$TEMP/Temp...ce.exe
windows7-x64
3$TEMP/Temp...ce.exe
windows10-2004-x64
3$TEMP/Temp...SE.exe
windows7-x64
3$TEMP/Temp...SE.exe
windows10-2004-x64
3$TEMP/Temp...ng.dll
windows7-x64
1$TEMP/Temp...ng.dll
windows10-2004-x64
1$TEMP/Temp...HI.dll
windows7-x64
1$TEMP/Temp...HI.dll
windows10-2004-x64
1$TEMP/Temp...ZE.dll
windows7-x64
1$TEMP/Temp...ZE.dll
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 22:51
Behavioral task
behavioral1
Sample
CB_setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
CB_setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/MyLangDLLS3.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/MyLangDLLS3.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/MyLangDLLT3.dll
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/MyLangDLLT3.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSIS_SkinCrafter_Plugin.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSIS_SkinCrafter_Plugin.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Plugin.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Plugin.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/cService.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/cService.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
$TEMP/TemporaryComodoProduct/CBU.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$TEMP/TemporaryComodoProduct/CBU.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
$TEMP/TemporaryComodoProduct/COSService.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
$TEMP/TemporaryComodoProduct/COSService.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
$TEMP/TemporaryComodoProduct/CSE.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
$TEMP/TemporaryComodoProduct/CSE.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
$TEMP/TemporaryComodoProduct/GUIlang.dll
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
$TEMP/TemporaryComodoProduct/GUIlang.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CHI.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CHI.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral31
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CZE.dll
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
$TEMP/TemporaryComodoProduct/GUIlang_CZE.dll
Resource
win10v2004-20240709-en
General
-
Target
$TEMP/TemporaryComodoProduct/CBU.exe
-
Size
11.6MB
-
MD5
2c6d19e7d5f91b5ef322df2f30e6ad53
-
SHA1
2acd52bbe67614ea784899e9a96898bb2d5908ff
-
SHA256
442f3b1a6a282dedaf4e39de36af4bcce2c0b0c145d8895c7f236bc8576c84b6
-
SHA512
d5db241a31693128199bbe588c9091c503c81b55bfdf5cb380a83f4a00a783aff3cbca25e03d3f1763f057b6f056c805d0ee093c6022baf08584f5ee3c85ec6f
-
SSDEEP
98304:GN8nfosYu8Ok2ZPtHGuVGSjk3pH9NOi/59xF:GN8nf9udSelKinxF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation CBU.exe -
pid Process 2928 ARP.EXE 2060 cmd.exe 2476 ARP.EXE 4024 cmd.exe 3148 ARP.EXE 3972 cmd.exe 4856 ARP.EXE 3556 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1672 1224 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CBU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F1C8520-4C89-4688-8560-5839AAB4D46B} CBU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F1C8520-4C89-4688-8560-5839AAB4D46B}\UserID = "6671F535C64D400189B5ECBFCD56B25D" CBU.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings CBU.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1224 CBU.exe 1224 CBU.exe 1224 CBU.exe 1224 CBU.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1224 wrote to memory of 4024 1224 CBU.exe 85 PID 1224 wrote to memory of 4024 1224 CBU.exe 85 PID 1224 wrote to memory of 4024 1224 CBU.exe 85 PID 4024 wrote to memory of 3148 4024 cmd.exe 87 PID 4024 wrote to memory of 3148 4024 cmd.exe 87 PID 4024 wrote to memory of 3148 4024 cmd.exe 87 PID 1224 wrote to memory of 3972 1224 CBU.exe 88 PID 1224 wrote to memory of 3972 1224 CBU.exe 88 PID 1224 wrote to memory of 3972 1224 CBU.exe 88 PID 3972 wrote to memory of 4856 3972 cmd.exe 90 PID 3972 wrote to memory of 4856 3972 cmd.exe 90 PID 3972 wrote to memory of 4856 3972 cmd.exe 90 PID 1224 wrote to memory of 3556 1224 CBU.exe 92 PID 1224 wrote to memory of 3556 1224 CBU.exe 92 PID 1224 wrote to memory of 3556 1224 CBU.exe 92 PID 3556 wrote to memory of 2928 3556 cmd.exe 94 PID 3556 wrote to memory of 2928 3556 cmd.exe 94 PID 3556 wrote to memory of 2928 3556 cmd.exe 94 PID 1224 wrote to memory of 2060 1224 CBU.exe 99 PID 1224 wrote to memory of 2060 1224 CBU.exe 99 PID 1224 wrote to memory of 2060 1224 CBU.exe 99 PID 2060 wrote to memory of 2476 2060 cmd.exe 101 PID 2060 wrote to memory of 2476 2060 cmd.exe 101 PID 2060 wrote to memory of 2476 2060 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\TemporaryComodoProduct\CBU.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\TemporaryComodoProduct\CBU.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3148
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a > C:\Users\Admin\AppData\Local\Temp\iplist.txt2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 44722⤵
- Program crash
PID:1672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:4004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1224 -ip 12241⤵PID:3764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d91f449c7363563156d9b5bc3bfdd231
SHA1abe993dfe291451b3a72ceccf51be43d428a4bee
SHA256a76c21483844cc9ad565085083c15d5d3ae0c43d1e3df6143e48e60b8d6cb6e6
SHA512bbf04e7f406cf55b6079554a09a889f2d2fcb1b98ff3019dfb0fa9d078734755f41be45d856efd6cbec85eedc5b68281b3afcb9683ec8f0426e1ab092c2cff98
-
Filesize
104B
MD57d5931d6d33c2e264d05d1850be2a39f
SHA16708d90cd7368d355c101ab1f5903b79eccc3c4a
SHA2562afcca818a534e4f75cf61dc5552400d75406e11830aa7a8a5fd841fe571a723
SHA51283a5de9562b1a9212d20f310f93a23c4e75ea764dcd634af04e8e114e2ff783993ad079aca2e4ee4676cd013c06f3657a9f6a54b7dd72a30836c4fc8e8f91628
-
Filesize
550B
MD547e850c581418dbb7f4977b810746353
SHA1f5603bc3d5fe0d0c7bac598430e244d442aa2e3d
SHA2564bd1621b1e686de1ec98490fab817d59cb363409fa4e660ae574800f4e77c778
SHA5125d8dfc33acce1d123d989c6cbedd5679196cdd66ac18a5137ee1d22e062f7caf18f57aa9eaddf226df66a086125d0531aca6a52a1776879cc2de32d832e15a83