Analysis

  • max time kernel
    148s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 05:39

General

  • Target

    Conficker binaries/jwgkvsq.dll

  • Size

    161KB

  • MD5

    c3852074ee50da92c2857d24471747d9

  • SHA1

    7910076ec1e60326409408fc042c89e96aefefa1

  • SHA256

    cfc5bef5b3a8bd21d5b9748832db14f6966154867c946564e003e0febf2b6c92

  • SHA512

    409faf818f9c1ee034decf1ff7c4727b2bcfd5b45ed6e30a45c3d6b46e3c437fc9d26441df174fbeb585ca8ce0a0fcdc4222815b34d582b6d08eadeb652e3aa8

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    PID:1092
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Conficker binaries\jwgkvsq.dll",#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Conficker binaries\jwgkvsq.dll",#1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\explorer.exe
          explorer C:\Users\Admin\AppData\Local
          4⤵
            PID:1252
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4828
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2504

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1732-134-0x0000000000CF0000-0x0000000000D12000-memory.dmp

        Filesize

        136KB

      • memory/1732-137-0x0000000000CF0000-0x0000000000D12000-memory.dmp

        Filesize

        136KB