aabebfa8a57a0e23a01d18d0c40180fd1b0e56f017a41c03d171450171ebafa1

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CareUEyes/CareUEyesPortable.exe
Size

144KB
MD5

1c959ca67730a5bc21d17d3d0153e2df
SHA1

a41a306563e5b7430f0d4ce3f0620eca3e69da54
SHA256

b07d2acf6197e436eee90c95561342d676422726e5b63a40403df0074a1b5973
SHA512

d3f11383685b73dd66ced31e96d8ee36892657b20596e99437671308700f322b45e5367581ae2e42eb92f79fa88610c62cbcb22fcf7da451e4b8865c3b4a4713
SSDEEP

3072:lqeqOYEUXPnU7b97o6c9jHtn16p8osnBV0mp0TLZX:kEUX2b9+jNnQCLBVwB

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4908	CareUEyesPortable.exe
4908	CareUEyesPortable.exe
4908	CareUEyesPortable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	CareUEyesPortable.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	CareUEyesPortable.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CareUEyes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CareUEyes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CareUEyesPortable.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}	CareUEyes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}\uuid = "NDQ4ZDNiMWI0NGRhNzQ0YzE0MjY0NWFlYzEzYzhlNjU="	CareUEyes.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}	CareUEyes.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	CareUEyesPortable.exe
4908	CareUEyesPortable.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3868	CareUEyes.exe
3868	CareUEyes.exe
3868	CareUEyes.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3868	CareUEyes.exe
3868	CareUEyes.exe
3868	CareUEyes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4952	CareUEyes.exe
4952	CareUEyes.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3868	4908	CareUEyesPortable.exe	87
PID 4908 wrote to memory of 3868	4908	CareUEyesPortable.exe	87
PID 4908 wrote to memory of 3868	4908	CareUEyesPortable.exe	87
PID 3868 wrote to memory of 4952	3868	CareUEyes.exe	115
PID 3868 wrote to memory of 4952	3868	CareUEyes.exe	115
PID 3868 wrote to memory of 4952	3868	CareUEyes.exe	115

C:\Users\Admin\AppData\Local\Temp\CareUEyes\CareUEyesPortable.exe
"C:\Users\Admin\AppData\Local\Temp\CareUEyes\CareUEyesPortable.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe
  "C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe
    "C:\Users\Admin\AppData\Local\Temp\CareUEyes\App\CareUEyes\CareUEyes.exe" /tj
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CareUEyes\Data\settings\CareUEyes.reg

Filesize
248B

MD5
2af074816d8777f8e63ce07b085629d2

SHA1
2e43f6ddb68630f36c73bede2fd6c3580aeabc95

SHA256
fe25a9d79f7044562d19de6122f25e5623c6cbbc9d95dd0a0427b843dad50fb8

SHA512
a7eb3ed13dd0194292221ef6f5531dd5c6c4bce89176631decd9283dddaf61b0d519add9241ddf15a96c85c5b4bf0714711cfe114afce9beb1c97c71031ffb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA182.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA182.tmp\launcher.ini

Filesize
1KB

MD5
016566e48414fcdd21bb9ca842f6b1ef

SHA1
fd22292fa424a791467e407dee3f42d6e1f0a072

SHA256
bc87bbd32fef165dd457b4d17661565fecaa4f8875484fb3298dbe1b0df1f1cc

SHA512
b961a014c1434bb38c1bda7e6e118f509a1262674924746de705aa77ee8c09d07e65a1a615c6fc21fa76aca5305e41e8b7091c83f163edacde60e6b49116797e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA182.tmp\newtextreplace.dll

Filesize
11KB

MD5
b5358341df2cb171876a5f201e31a834

SHA1
df34750ea5504274be5ff8ddd306b49e302d04f9

SHA256
156b9b583399faf13c4d46b89339fb0f7f38dc847ac2d7872178d8e3998b9734

SHA512
821dc42e24fa2d44a1d4d16b26c3da2688dac0fa44a266e38da2aff706c91440d83a87abc74131930e6c38a44a0c5e627db2d045375fde147e0edd3276f4b014

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA182.tmp\registry.dll

Filesize
29KB

MD5
2880bf3bbbc8dcaeb4367df8a30f01a8

SHA1
cb5c65eae4ae923514a67c95ada2d33b0c3f2118

SHA256
acb79c55b3b9c460d032a6f3aaf6c642bf8c1d450e23279d091cc0c6ca510973

SHA512
ca978702ce7aa04f8d9781a819a57974f9627e969138e23e81e0792ff8356037c300bb27a37a9b5c756220a7788a583c8e40cc23125bcbe48849561b159c4fa3

Download Submit
C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat

Filesize
3KB

MD5
af3c2241a3e08517f401de5de407fc2a

SHA1
a63fe9c80641dced77e3c88ad4c205255c3d9641

SHA256
f2442e36ab7ed259910753ca9c4f6058365c9264913e3fc64b383cc3dc1ccc3b

SHA512
0ac261be827587b52cb489f26eec88ff3a1085da0053ede60931239ec10d6bf595a254b05ae6277ea4ddcc695bcef9ec72a17ae899e1fac7894606d96010ac45

Download Submit
C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat

Filesize
136B

MD5
6f339b0a051d9f47e2453870f5af0a90

SHA1
a96baf2d5becffc84730653f24f42cee4bfc2d75

SHA256
17430de0b4ddae8e85d152bce35c284d60df696b051c92db276d6c0e16e3cb8f

SHA512
6611cf868b558705a0399afd93d4c347a4ced16abe776a33b6269fe7685fbc50aa281194bb02a8bd57cbe345254ede4a8c66ce5926f5ade499b16cbbbb82cf70

Download Submit
C:\Users\Admin\AppData\Roaming\careueyes\setting_v2.dat

Filesize
3KB

MD5
7ee70167b066c960283d3d44eb0f92a5

SHA1
4b5e3c46b76de5a283e565ab60d061e09be89830

SHA256
058ad4fb89c2b9dbda2f4bf67faf65839134afd9cf8db11dc1f95cece135b2dd

SHA512
8a63b323d23952be8f18335ee89e102259852ece3c44b8b9f17609750b9cfa3101eaaf987c39542ef5fefd104931465b3cbd552b1b864dac3b88d0e289c3c829

Download Submit
memory/3868-70-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/3868-97-0x0000000001820000-0x0000000001830000-memory.dmp

Filesize
64KB

Download
memory/3868-67-0x0000000035F70000-0x0000000035F80000-memory.dmp

Filesize
64KB

Download
memory/4952-103-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/4952-115-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download