Overview
overview
7Static
static
3Bypass-Too...l2.exe
windows7-x64
7Bypass-Too...l2.exe
windows10-2004-x64
7Bypass-Too...02.exe
windows7-x64
3Bypass-Too...02.exe
windows10-2004-x64
3Bypass-Tools/U952.exe
windows7-x64
7Bypass-Tools/U952.exe
windows10-2004-x64
3Bypass-Too...p2.exe
windows7-x64
3Bypass-Too...p2.exe
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
Bypass-Tools/CGWebInstall2.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Bypass-Tools/CGWebInstall2.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Bypass-Tools/GPass-4.1.02.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Bypass-Tools/GPass-4.1.02.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Bypass-Tools/U952.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Bypass-Tools/U952.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Bypass-Tools/fg679p2.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Bypass-Tools/fg679p2.exe
Resource
win10v2004-20240611-en
General
-
Target
Bypass-Tools/CGWebInstall2.exe
-
Size
730KB
-
MD5
bd11d302a86fa12e2032621554326bd0
-
SHA1
be4a4d74b3b5316e46ef6d813031ca99c2c12b49
-
SHA256
9894d651b7700ffd0992c0a310cfb867b84d32d644574f6571ea540d189a088d
-
SHA512
59c0243cf2577c13ea3467e6e421a3f174c6f16623d125f69a608ad7d54977e57b471b31cbe7a79ba5c13f0296064bc172a9da41fe9379f977112fcc219cd400
-
SSDEEP
12288:ONYr78QV1q6XEHjxa84YQ65FQLcCxB2FgUBVDZbU4xC78P:O64blYEQwuKBVDZgr78P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CGWebInstall.exepid process 2924 CGWebInstall.exe -
Loads dropped DLL 4 IoCs
Processes:
CGWebInstall2.exeCGWebInstall.exepid process 2060 CGWebInstall2.exe 2924 CGWebInstall.exe 2924 CGWebInstall.exe 2924 CGWebInstall.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exe upx behavioral1/memory/2924-11-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral1/memory/2924-14-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral1/memory/2924-19-0x0000000000400000-0x00000000005E8000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
CGWebInstall2.exedescription pid process target process PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe PID 2060 wrote to memory of 2924 2060 CGWebInstall2.exe CGWebInstall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\CGWebInstall2.exe"C:\Users\Admin\AppData\Local\Temp\Bypass-Tools\CGWebInstall2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exe"C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CGWebInstall.exeFilesize
705KB
MD557c469f23b012eab249174b0aefb7bac
SHA1f2d0dcb04b1011849e08b9a1aa897503ccb22d08
SHA25619bb1a05791ee90485a12918e2e763bd10fda86425694ce42ca1c0c25bf51847
SHA512ee33c6e12ae4f9e20c22933759aaf0bdc0d67777cda4ff65931df0b72eddf7b4dd572d7248eb2d7420a2fdd6ec5857fc3513aaec9e85519235eb7475e0fd6b26
-
memory/2060-6-0x00000000028D0000-0x0000000002AB8000-memory.dmpFilesize
1.9MB
-
memory/2924-13-0x0000000000AE0000-0x0000000000CC8000-memory.dmpFilesize
1.9MB
-
memory/2924-12-0x0000000000AE0000-0x0000000000CC8000-memory.dmpFilesize
1.9MB
-
memory/2924-11-0x0000000000400000-0x00000000005E8000-memory.dmpFilesize
1.9MB
-
memory/2924-14-0x0000000000400000-0x00000000005E8000-memory.dmpFilesize
1.9MB
-
memory/2924-16-0x0000000000AE0000-0x0000000000CC8000-memory.dmpFilesize
1.9MB
-
memory/2924-17-0x0000000000AE0000-0x0000000000CC8000-memory.dmpFilesize
1.9MB
-
memory/2924-19-0x0000000000400000-0x00000000005E8000-memory.dmpFilesize
1.9MB