Overview

overview

8

Static

static

596bfa7f99...98.exe

windows7-x64

8

596bfa7f99...98.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    596bfa7f9985e7c37a437ba7a58dde6e0258a83b1051fb66b09b3992563e3098.exe

  • Size

    15KB

  • MD5

    0300ef04431f258e32061adcb5273650

  • SHA1

    d1f4f0575ae2aa1c5136dd5016119b49c5570530

  • SHA256

    596bfa7f9985e7c37a437ba7a58dde6e0258a83b1051fb66b09b3992563e3098

  • SHA512

    9557d9366884b07e22b47976992ece1ac39bc150ed33bee10c671e7634a179b434f46cf83119b18508bafe276eee1ff31874f7c63619a791798d639bce08e79c

  • SSDEEP

    384:BQoM7+0mYtRE4IGaFJadCsU99qVTdwQK1a:BQoM7JSGaFyCH9qVTGQ+a

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\596bfa7f9985e7c37a437ba7a58dde6e0258a83b1051fb66b09b3992563e3098.exe
    "C:\Users\Admin\AppData\Local\Temp\596bfa7f9985e7c37a437ba7a58dde6e0258a83b1051fb66b09b3992563e3098.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\BOX.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:1324
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im cfmon.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im cfmon.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im conlme.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im conlme.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
    • C:\Program Files (x86)\Common Files\session\conlme.exe
      "C:\Program Files (x86)\Common Files\session\conlme.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:872
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\596bfa7f9985e7c37a437ba7a58dde6e0258a83b1051fb66b09b3992563e3098.exe"
      2⤵
        PID:3140

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\BOX.hta
      Filesize

      797B

      MD5

      4917e06aa2ae915c3c7cbcbc7335565e

      SHA1

      335e5663078a71daa3b3e3d3c5025896c190c7c9

      SHA256

      40248859fbe8cc7bca288e2fef514952c6e4940f3425c0f2dc26ebac4069fab3

      SHA512

      cd798141c8a8ab80a028fe92c65f8b539baeb2e44eca90795f87a855149ad3a6c6a59fd769024d448f8e3efc1499e7855661599bd2b992bd05dc4597f6014db6

      Download Submit

    • C:\Program Files (x86)\Common Files\session\conlme.exe
      Filesize

      12.0MB

      MD5

      744031e81013b7406b41b1e5f500daf1

      SHA1

      a3abe786befa4f8fb40e94408a9afa09e12e11df

      SHA256

      6e3634e23156893ea75490012ffd816c250e3213f7befbc04a232fd1c373d7a9

      SHA512

      808a6c8ff95702e86238b2e1edd597e19180b61bf968d5a25bde451418a76e903edb8a4849a31c790f188c0c18784486eed6576122a481ee525078445ffb3390

      Download Submit

    • C:\Program Files (x86)\Common Files\session\conlme.exe
      Filesize

      12.0MB

      MD5

      744031e81013b7406b41b1e5f500daf1

      SHA1

      a3abe786befa4f8fb40e94408a9afa09e12e11df

      SHA256

      6e3634e23156893ea75490012ffd816c250e3213f7befbc04a232fd1c373d7a9

      SHA512

      808a6c8ff95702e86238b2e1edd597e19180b61bf968d5a25bde451418a76e903edb8a4849a31c790f188c0c18784486eed6576122a481ee525078445ffb3390

      Download Submit

    • memory/872-139-0x0000000000000000-mapping.dmp

      Download

    • memory/872-142-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/872-145-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1324-133-0x0000000000000000-mapping.dmp

      Download

    • memory/2600-134-0x0000000000000000-mapping.dmp

      Download

    • memory/2636-136-0x0000000000000000-mapping.dmp

      Download

    • memory/2916-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3140-143-0x0000000000000000-mapping.dmp

      Download

    • memory/4416-132-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4416-144-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4424-135-0x0000000000000000-mapping.dmp

      Download