87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe
Size

177KB
MD5

6776e4d702c732d78c18f6914782e7d0
SHA1

6e6d0ff6f8d2603e9053cea2e43af09ed88f34f2
SHA256

87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366
SHA512

c4f5e92dfcae2ec4829bd4b6b6383c0bf1d762473942e7e7e371139b49b4cff51fb2e994dfda2f3e5077ea58489cd44881b992b8c4bd4e0122c68be2b9441cca
SSDEEP

3072:1/047M+14BEHzWqgUfPNrXuSKp18z2Odknu+vmmWBuxBl11cRQycLRbpgjDD25K:lwhBEHzWpUfPNr+DRD5fWBuxBl11tbp/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
820	convskey.exe
948	~3FBF.tmp
472	forfstsc.exe

Loads dropped DLL 3 IoCs

pid	Process
1364	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe
1364	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe
820	convskey.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\regserpt = "C:\\Users\\Admin\\AppData\\Roaming\\regscont\\convskey.exe"	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\forfstsc.exe	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
820	convskey.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE
472	forfstsc.exe
1240	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 820	1364	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe	26
PID 1364 wrote to memory of 820	1364	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe	26
PID 1364 wrote to memory of 820	1364	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe	26
PID 1364 wrote to memory of 820	1364	87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe	26
PID 820 wrote to memory of 948	820	convskey.exe	27
PID 820 wrote to memory of 948	820	convskey.exe	27
PID 820 wrote to memory of 948	820	convskey.exe	27
PID 820 wrote to memory of 948	820	convskey.exe	27
PID 948 wrote to memory of 1240	948	~3FBF.tmp	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1240
- C:\Users\Admin\AppData\Local\Temp\87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe
  "C:\Users\Admin\AppData\Local\Temp\87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Roaming\regscont\convskey.exe
    "C:\Users\Admin\AppData\Roaming\regscont\convskey.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Users\Admin\AppData\Local\Temp\~3FBF.tmp
      "C:\Users\Admin\AppData\Local\Temp\~3FBF.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:948

C:\Windows\SysWOW64\forfstsc.exe
C:\Windows\SysWOW64\forfstsc.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~3FBF.tmp

Filesize
6KB

MD5
ef34b78b36c65a00053fe6a6dcd60082

SHA1
413c940f6bb63969f205bae0fd0dc21a1d2babd8

SHA256
558a30bdbacf063937c162ba8e066e13aa2bc1e487738523b95e4c3d2fcb44d7

SHA512
bdf6a6ac1205feb6e9387523c6832c2a40df9128b42e5d6e2971f6525256878489e56b34de6394c41345ccd79253bbe4e2d5b03c705a52ae6f59d8e092073648

Download Submit
C:\Users\Admin\AppData\Roaming\regscont\convskey.exe

Filesize
177KB

MD5
bd6cd4a0acc8d2ae83479e171669cb98

SHA1
124d10be7f314ed7bbaa8b92429e81c18933b236

SHA256
a6f28bd273ffedcd5924775cd95c0eaa5ec5b9e6ef43dfa76ffb8568de2a8cdb

SHA512
634bc0532e442177e1c13ea53dcf83da988cbc416cdc2ab8eef5674cf0d1654eb58abace3acba508cd4e7cf76c3fb65308bcf1f4ff625306b06ef1617964aba5

Download Submit
C:\Users\Admin\AppData\Roaming\regscont\convskey.exe

Filesize
177KB

MD5
bd6cd4a0acc8d2ae83479e171669cb98

SHA1
124d10be7f314ed7bbaa8b92429e81c18933b236

SHA256
a6f28bd273ffedcd5924775cd95c0eaa5ec5b9e6ef43dfa76ffb8568de2a8cdb

SHA512
634bc0532e442177e1c13ea53dcf83da988cbc416cdc2ab8eef5674cf0d1654eb58abace3acba508cd4e7cf76c3fb65308bcf1f4ff625306b06ef1617964aba5

Download Submit
C:\Windows\SysWOW64\forfstsc.exe

Filesize
177KB

MD5
6776e4d702c732d78c18f6914782e7d0

SHA1
6e6d0ff6f8d2603e9053cea2e43af09ed88f34f2

SHA256
87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366

SHA512
c4f5e92dfcae2ec4829bd4b6b6383c0bf1d762473942e7e7e371139b49b4cff51fb2e994dfda2f3e5077ea58489cd44881b992b8c4bd4e0122c68be2b9441cca

Download Submit
C:\Windows\SysWOW64\forfstsc.exe

Filesize
177KB

MD5
6776e4d702c732d78c18f6914782e7d0

SHA1
6e6d0ff6f8d2603e9053cea2e43af09ed88f34f2

SHA256
87f8fe5bf86230f4efacd105086a99d3289ddc2b0b3a2f1fec19ed409084d366

SHA512
c4f5e92dfcae2ec4829bd4b6b6383c0bf1d762473942e7e7e371139b49b4cff51fb2e994dfda2f3e5077ea58489cd44881b992b8c4bd4e0122c68be2b9441cca

Download Submit
\Users\Admin\AppData\Local\Temp\~3FBF.tmp

Filesize
6KB

MD5
ef34b78b36c65a00053fe6a6dcd60082

SHA1
413c940f6bb63969f205bae0fd0dc21a1d2babd8

SHA256
558a30bdbacf063937c162ba8e066e13aa2bc1e487738523b95e4c3d2fcb44d7

SHA512
bdf6a6ac1205feb6e9387523c6832c2a40df9128b42e5d6e2971f6525256878489e56b34de6394c41345ccd79253bbe4e2d5b03c705a52ae6f59d8e092073648

Download Submit
\Users\Admin\AppData\Roaming\regscont\convskey.exe

Filesize
177KB

MD5
bd6cd4a0acc8d2ae83479e171669cb98

SHA1
124d10be7f314ed7bbaa8b92429e81c18933b236

SHA256
a6f28bd273ffedcd5924775cd95c0eaa5ec5b9e6ef43dfa76ffb8568de2a8cdb

SHA512
634bc0532e442177e1c13ea53dcf83da988cbc416cdc2ab8eef5674cf0d1654eb58abace3acba508cd4e7cf76c3fb65308bcf1f4ff625306b06ef1617964aba5

Download Submit
\Users\Admin\AppData\Roaming\regscont\convskey.exe

Filesize
177KB

MD5
bd6cd4a0acc8d2ae83479e171669cb98

SHA1
124d10be7f314ed7bbaa8b92429e81c18933b236

SHA256
a6f28bd273ffedcd5924775cd95c0eaa5ec5b9e6ef43dfa76ffb8568de2a8cdb

SHA512
634bc0532e442177e1c13ea53dcf83da988cbc416cdc2ab8eef5674cf0d1654eb58abace3acba508cd4e7cf76c3fb65308bcf1f4ff625306b06ef1617964aba5

Download Submit
memory/472-71-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/1240-65-0x0000000002940000-0x0000000002983000-memory.dmp

Filesize
268KB

Download
memory/1240-67-0x0000000002940000-0x0000000002983000-memory.dmp

Filesize
268KB

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1364-55-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download