Overview

overview

6

Static

static

3

7009cf14e4...f7.exe

windows7-x64

6

7009cf14e4...f7.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7009cf14e43eb40f873f8da1d915afa15703c9fcd3603d11f60190613acfdcf7.exe

  • Size

    5.9MB

  • MD5

    04e2e7c7fc2f0385afff14d8c0cbb6c3

  • SHA1

    c6eee139f4fcff2c26494c3bf56ea2516dd9d20a

  • SHA256

    7009cf14e43eb40f873f8da1d915afa15703c9fcd3603d11f60190613acfdcf7

  • SHA512

    29add18b9f296b66a215d1c7332eb2f03d8157aad25be2b57c4b2297b7ea8c7afb1f89759ee21b76864f904d42721764eb092815b787493197ab1be9fd22010d

  • SSDEEP

    98304:5wq0Sm/xllDMUvProTSp7BMm5Ye4cyI+vRDTgeMmC/zWTM:5dmZ0U3romT34vJgPbzWTM

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7009cf14e43eb40f873f8da1d915afa15703c9fcd3603d11f60190613acfdcf7.exe
    "C:\Users\Admin\AppData\Local\Temp\7009cf14e43eb40f873f8da1d915afa15703c9fcd3603d11f60190613acfdcf7.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Users\Admin\AppData\Local\Temp\7009cf14e43eb40f873f8da1d915afa15703c9fcd3603d11f60190613acfdcf7.exe
      "C:\Users\Admin\AppData\Local\Temp\7009cf14e43eb40f873f8da1d915afa15703c9fcd3603d11f60190613acfdcf7.exe" /tj
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat
    Filesize

    3KB

    MD5

    ce099623a4f6dad664e3f80b677edea3

    SHA1

    6654c47a7962da95e79969b7b98d72c29e372485

    SHA256

    ea930bad49bed2035b64b4d2789e8202f3c853b8dafbace323886f33929f0fd8

    SHA512

    145ce6315849ec0056b13cb447fcd79e2e69cf063c1c4a3ef577bbffef82b137ad2723e1657b6b21b4ff58ea7c759b7e257e64f2315f5597614615adf996c6a3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat
    Filesize

    3KB

    MD5

    a3fa61df2de1b2243df3d6603408e2ce

    SHA1

    7391dd705144a989faca283e5cc8e2466d9c5fdf

    SHA256

    26835a9b9796e82ba72a71e7648b1c87e39b87e849990692ffb35d8f28638991

    SHA512

    1c8928beef00fa3e97d43bf2b5dcda772122ebf5cd9026b93c06358b4ca068b6dd9590a490f4a8a301cd736f72128bd66066fabf4859cf486679f2d436d34f77

    Download Submit

  • memory/408-0-0x0000000035F70000-0x0000000035F80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/408-1-0x0000000003630000-0x0000000003640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/408-25-0x0000000003630000-0x0000000003640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3776-31-0x00000000036F0000-0x0000000003700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3776-43-0x00000000036F0000-0x0000000003700000-memory.dmp

    Filesize

    64KB

    Download