5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8 | Triage

Sharing

General

Target

conhost_f.exe
Size

1.8MB
Sample

220817-ye8weacacm
MD5

eecdf1e5eb81226c10e087d0f79de8f2
SHA1

9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2
SHA256

5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8
SHA512

2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89
SSDEEP

49152:VT5d7S+XFupRND4GgCWTsdZ3NQKi+ahqqIvToq:VVdO+6P4GVdFboq

Score

10^/10

discovery evasion exploit

Malware Config

Targets

- Target
  
  conhost_f.exe
- Size
  
  1.8MB
- MD5
  
  eecdf1e5eb81226c10e087d0f79de8f2
- SHA1
  
  9fb1dcd11603cfb6506595d0d8d9147f8dc9d2b2
- SHA256
  
  5ade09adc83dbcdb8b0a890639d10e525cb4a885cc634a40ca72c1fbda1890f8
- SHA512
  
  2fa58a908dc18a1b1cad91d4b5d556338c0920fb6d2733250f9ab38c23aff532b1c24b9ed76ad85022c7dd5708fb6df185c8cf447b8db4a9d778bbe25a914a89
- SSDEEP
  
  49152:VT5d7S+XFupRND4GgCWTsdZ3NQKi+ahqqIvToq:VVdO+6P4GVdFboq
Score

10^/10

discovery evasion exploit
- Modifies security service
  evasion
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

discoveryevasionexploit

behavioral2

discoveryevasionexploit