e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab

Analysis

max time kernel
151s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe
Size

8KB
MD5

5ab820b15c95003442d7eeb56793f9f6
SHA1

5b62826ce33bd43a62e4c933bdcf4bb0c9b25375
SHA256

e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab
SHA512

35e39a23e18caa2821ea8fd08df5898bf089ba62a9192de8f14c1d19c1fc108c2f737dec95b0e3762421baa225b6b549a32096e064cba1964757960313d10f0c
SSDEEP

192:zhkVK0bFrX6G8wi/8LgLZBNiNg+S9p15FgmdRH:zaVNbRX9K0Lgoy+SimP

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/804-132-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3692-140-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/804-142-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3692-144-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\inf\exepath.inf	e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3212	sc.exe
4348	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe
3692	conime.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
804	e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
804	e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe
3692	conime.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 3692	804	e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe	84
PID 804 wrote to memory of 3692	804	e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe	84
PID 804 wrote to memory of 3692	804	e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe	84
PID 3692 wrote to memory of 3212	3692	conime.exe	85
PID 3692 wrote to memory of 3212	3692	conime.exe	85
PID 3692 wrote to memory of 3212	3692	conime.exe	85
PID 3692 wrote to memory of 4348	3692	conime.exe	87
PID 3692 wrote to memory of 4348	3692	conime.exe	87
PID 3692 wrote to memory of 4348	3692	conime.exe	87
PID 3692 wrote to memory of 3304	3692	conime.exe	89
PID 3692 wrote to memory of 3304	3692	conime.exe	89
PID 3692 wrote to memory of 3304	3692	conime.exe	89

C:\Users\Admin\AppData\Local\Temp\e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe
"C:\Users\Admin\AppData\Local\Temp\e104093a86d712f418c526446a18e437c77e766952bfe57c919f55bd26f488ab.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804
- C:\Program Files\Internet Explorer\pqsmaa\conime.exe
  "C:\Program Files\Internet Explorer\pqsmaa\conime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\sc.exe
    sc config Schedule start= auto
    3⤵
    - Launches sc.exe
    PID:3212
- - C:\Windows\SysWOW64\sc.exe
    sc start Schedule
    3⤵
    - Launches sc.exe
    PID:4348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /SC ONSTART /RU SYSTEM /TN JOBSTART /TR "\"C:\Program Files\Internet Explorer\pqsmaa\\conime.exe\""
    3⤵
    - Creates scheduled task(s)
    PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\inf\exepath.inf

Filesize
44B

MD5
79b3d81e93f9c67f8af23bff07d2e4d2

SHA1
1df5d84a3aeb8d7cff1961d777bb4b74eae5f7e5

SHA256
f57fa6c29b9c6e3f6545274a8733d5e696890f12a0a8d69d399fbe0fb63aa56b

SHA512
c7a58749713314d2cb2cbf956f8ca812bd4c45d2b0e140623eb55db74f3a73a1674d82d7ea14a022bf4de9bf77c0058cfca8e5971b68ede6e5d699aacdbed956

Download Submit
memory/804-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/804-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3692-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3692-144-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download