Overview
overview
10Static
static
9Conficker ...BC.dll
windows7_x64
5Conficker ...BC.dll
windows10-2004_x64
1Conficker ...1E.dll
windows7_x64
8Conficker ...1E.dll
windows10-2004_x64
1Conficker ...A5.dll
windows7_x64
1Conficker ...A5.dll
windows10-2004_x64
1Conficker ...B6.dll
windows7_x64
5Conficker ...B6.dll
windows10-2004_x64
1Conficker ...B6.dll
windows7_x64
5Conficker ...B6.dll
windows10-2004_x64
1Conficker ...9D.dll
windows7_x64
5Conficker ...9D.dll
windows10-2004_x64
1Conficker ...65.dll
windows7_x64
5Conficker ...65.dll
windows10-2004_x64
1Conficker ...a5.dll
windows7_x64
5Conficker ...a5.dll
windows10-2004_x64
1Conficker ...sq.dll
windows7_x64
10Conficker ...sq.dll
windows10-2004_x64
10Conficker ...q4.dll
windows7_x64
10Conficker ...q4.dll
windows10-2004_x64
10Analysis
-
max time kernel
148s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 05:39
Static task
static1
Behavioral task
behavioral1
Sample
Conficker binaries/1DB5476C766555C9995B25D19F97B9BC.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral2
Sample
Conficker binaries/1DB5476C766555C9995B25D19F97B9BC.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral3
Sample
Conficker binaries/223D8089F8EE82F8B05266BAECAAC61E.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral4
Sample
Conficker binaries/223D8089F8EE82F8B05266BAECAAC61E.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral5
Sample
Conficker binaries/BD35D4D98FCBB1EC0E090FD2C631BAA5.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral6
Sample
Conficker binaries/BD35D4D98FCBB1EC0E090FD2C631BAA5.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral7
Sample
Conficker binaries/CC7EDB2E4300AC539259F3FFDE0F1AB6.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral8
Sample
Conficker binaries/CC7EDB2E4300AC539259F3FFDE0F1AB6.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral9
Sample
Conficker binaries/CC7EDB2E4300AC539259F3FFDE0F1AB6.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral10
Sample
Conficker binaries/CC7EDB2E4300AC539259F3FFDE0F1AB6.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral11
Sample
Conficker binaries/CE18A72735FEB7A315B947DC0986009D.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral12
Sample
Conficker binaries/CE18A72735FEB7A315B947DC0986009D.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral13
Sample
Conficker binaries/D9CB288F317124A0E63E3405ED290765.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral14
Sample
Conficker binaries/D9CB288F317124A0E63E3405ED290765.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral15
Sample
Conficker binaries/bd35d4d98fcbb1ec0e090fd2c631baa5.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral16
Sample
Conficker binaries/bd35d4d98fcbb1ec0e090fd2c631baa5.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral17
Sample
Conficker binaries/jwgkvsq.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral18
Sample
Conficker binaries/jwgkvsq.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral19
Sample
Conficker binaries/jwgkvsq4.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral20
Sample
Conficker binaries/jwgkvsq4.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
General
-
Target
Conficker binaries/jwgkvsq.dll
-
Size
161KB
-
MD5
c3852074ee50da92c2857d24471747d9
-
SHA1
7910076ec1e60326409408fc042c89e96aefefa1
-
SHA256
cfc5bef5b3a8bd21d5b9748832db14f6966154867c946564e003e0febf2b6c92
-
SHA512
409faf818f9c1ee034decf1ff7c4727b2bcfd5b45ed6e30a45c3d6b46e3c437fc9d26441df174fbeb585ca8ce0a0fcdc4222815b34d582b6d08eadeb652e3aa8
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008f541914100041646d696e003c0009000400efbe8f54090ab454f0432e0000008ce10100000001000000000000000000000000000000df2a5800410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000008f54090a1100557365727300640009000400efbe874f7748b454f0432e000000c70500000000010000000000000000003a000000000034672c0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008f54ac0c10004c6f63616c003c0009000400efbe8f54090a9154fd992e000000aae101000000010000000000000000000000000000005aa304014c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008f54090a12004170704461746100400009000400efbe8f54090ab454f1432e00000097e10100000001000000000000000000000000000000d4050b014100700070004400610074006100000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4828 explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4828 explorer.exe 1092 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 1732 rundll32.exe Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE Token: SeShutdownPrivilege 1092 Explorer.EXE Token: SeCreatePagefilePrivilege 1092 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1092 Explorer.EXE 1092 Explorer.EXE 1092 Explorer.EXE 1092 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1092 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4828 explorer.exe 4828 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1092 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1732 1280 rundll32.exe 80 PID 1280 wrote to memory of 1732 1280 rundll32.exe 80 PID 1280 wrote to memory of 1732 1280 rundll32.exe 80 PID 1732 wrote to memory of 1092 1732 rundll32.exe 31 PID 1732 wrote to memory of 1252 1732 rundll32.exe 81 PID 1732 wrote to memory of 1252 1732 rundll32.exe 81 PID 1732 wrote to memory of 1252 1732 rundll32.exe 81
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1092 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Conficker binaries\jwgkvsq.dll",#12⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Conficker binaries\jwgkvsq.dll",#13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local4⤵PID:1252
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4828
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2504