aabebfa8a57a0e23a01d18d0c40180fd1b0e56f017a41c03d171450171ebafa1

Analysis

max time kernel
131s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 02:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CareUEyes/CareUEyesPortable.exe
Size

144KB
MD5

1c959ca67730a5bc21d17d3d0153e2df
SHA1

a41a306563e5b7430f0d4ce3f0620eca3e69da54
SHA256

b07d2acf6197e436eee90c95561342d676422726e5b63a40403df0074a1b5973
SHA512

d3f11383685b73dd66ced31e96d8ee36892657b20596e99437671308700f322b45e5367581ae2e42eb92f79fa88610c62cbcb22fcf7da451e4b8865c3b4a4713
SSDEEP

3072:lqeqOYEUXPnU7b97o6c9jHtn16p8osnBV0mp0TLZX:kEUX2b9+jNnQCLBVwB

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2324	CareUEyesPortable.exe
2324	CareUEyesPortable.exe
2324	CareUEyesPortable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\	CareUEyesPortable.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run	CareUEyesPortable.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CareUEyes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CareUEyes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CareUEyesPortable.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	CareUEyes.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CareUEyes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CareUEyes.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}	CareUEyes.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node	CareUEyes.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID	CareUEyes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}\uuid = "NjE4ZGU4MWU2NDM2YjQyNWVkMTYyNzZkZmJiYjUxOWI="	CareUEyes.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}	CareUEyes.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2324	CareUEyesPortable.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2252	CareUEyes.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2252	CareUEyes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1056	CareUEyes.exe
1056	CareUEyes.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2252	2324	CareUEyesPortable.exe	31
PID 2324 wrote to memory of 2252	2324	CareUEyesPortable.exe	31
PID 2324 wrote to memory of 2252	2324	CareUEyesPortable.exe	31
PID 2324 wrote to memory of 2252	2324	CareUEyesPortable.exe	31
PID 2252 wrote to memory of 1056	2252	CareUEyes.exe	33
PID 2252 wrote to memory of 1056	2252	CareUEyes.exe	33
PID 2252 wrote to memory of 1056	2252	CareUEyes.exe	33
PID 2252 wrote to memory of 1056	2252	CareUEyes.exe	33

C:\Users\Admin\AppData\Local\Temp\CareUEyes\CareUEyesPortable.exe
"C:\Users\Admin\AppData\Local\Temp\CareUEyes\CareUEyesPortable.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe
  "C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe
    "C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe" /tj
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CareUEyes\Data\settings\CareUEyes.reg

Filesize
248B

MD5
2af074816d8777f8e63ce07b085629d2

SHA1
2e43f6ddb68630f36c73bede2fd6c3580aeabc95

SHA256
fe25a9d79f7044562d19de6122f25e5623c6cbbc9d95dd0a0427b843dad50fb8

SHA512
a7eb3ed13dd0194292221ef6f5531dd5c6c4bce89176631decd9283dddaf61b0d519add9241ddf15a96c85c5b4bf0714711cfe114afce9beb1c97c71031ffb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD7EA.tmp\launcher.ini

Filesize
1KB

MD5
016566e48414fcdd21bb9ca842f6b1ef

SHA1
fd22292fa424a791467e407dee3f42d6e1f0a072

SHA256
bc87bbd32fef165dd457b4d17661565fecaa4f8875484fb3298dbe1b0df1f1cc

SHA512
b961a014c1434bb38c1bda7e6e118f509a1262674924746de705aa77ee8c09d07e65a1a615c6fc21fa76aca5305e41e8b7091c83f163edacde60e6b49116797e

Download Submit
C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat

Filesize
2KB

MD5
9b252d2c5b1381e51fb8543b1ea95188

SHA1
e2595aed80f2b8ba8ce45918e2e6fc1ed0c612e2

SHA256
8750a23be64cb16047007bd9850b57378e61a631d7487f0029b08a24ef58c27f

SHA512
d0feff27cb7728d2571a377485681ed3ed784d3577624afdc9e25f1aa8e7a3eecf783d4648795a9ec15e285f4beeb11988d3d264308d0cb0003183cd0501229e

Download Submit
C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat

Filesize
2KB

MD5
f9c98267651c0d45fabe14153acf0a5a

SHA1
f3ba062ce2a0f2aa1eda929a2942b01f8a8d0094

SHA256
577ef6463149ca906da59de2622c9f1c092336953f16cc1818e414f1b8d209ec

SHA512
76b0ca61d70517815930fee3476e2bc60ef252100f8a2a5cd570f50ff2f236ae056cd2655a8c659607837239f0b015344d229a991cc913c7fa4caac28a027a52

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD7EA.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD7EA.tmp\newtextreplace.dll

Filesize
11KB

MD5
b5358341df2cb171876a5f201e31a834

SHA1
df34750ea5504274be5ff8ddd306b49e302d04f9

SHA256
156b9b583399faf13c4d46b89339fb0f7f38dc847ac2d7872178d8e3998b9734

SHA512
821dc42e24fa2d44a1d4d16b26c3da2688dac0fa44a266e38da2aff706c91440d83a87abc74131930e6c38a44a0c5e627db2d045375fde147e0edd3276f4b014

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD7EA.tmp\registry.dll

Filesize
29KB

MD5
2880bf3bbbc8dcaeb4367df8a30f01a8

SHA1
cb5c65eae4ae923514a67c95ada2d33b0c3f2118

SHA256
acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

SHA512
ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

Download Submit
memory/2252-67-0x0000000034F30000-0x0000000034F40000-memory.dmp

Filesize
64KB

Download
memory/2252-72-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2252-97-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download