Analysis
-
max time kernel
147s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 13:08
Behavioral task
behavioral1
Sample
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe
Resource
win10v2004-20221111-en
General
-
Target
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe
-
Size
45KB
-
MD5
0825a8dc788a065f6c83bac0198704a3
-
SHA1
c5e6eb4acee804a0ae1e3a0cdbb4d40dc5f7d736
-
SHA256
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16
-
SHA512
d98ac956c651a1a95c96f35bc4fcb4e44e22ef8ec716559cd951c5255169ee7c5dfde5712f43834b965bb5012f18e43984131393f889d026a60c15475479adf6
-
SSDEEP
768:gAYG+lzc/ujL+yuSElTTrA7e/GMHZHfsOCawygumxmha5:r+9+yVWTI7eDNfsOCVbun
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe -
Processes:
resource yara_rule C:\Windows\Temp\conima.exe aspack_v212_v242 C:\Windows\temp\conima.exe aspack_v212_v242 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Input Manager = "C:\\Windows\\temp\\conima.exe" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe -
Executes dropped EXE 1 IoCs
Processes:
conima.exepid process 624 conima.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Processes:
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = "0" 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.execonima.exepid process 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe 624 conima.exe 624 conima.exe 624 conima.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exeRundll32.exerunonce.exedescription pid process target process PID 4392 wrote to memory of 3736 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Rundll32.exe PID 4392 wrote to memory of 3736 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Rundll32.exe PID 4392 wrote to memory of 3736 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe Rundll32.exe PID 3736 wrote to memory of 1800 3736 Rundll32.exe runonce.exe PID 3736 wrote to memory of 1800 3736 Rundll32.exe runonce.exe PID 3736 wrote to memory of 1800 3736 Rundll32.exe runonce.exe PID 4392 wrote to memory of 624 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe conima.exe PID 4392 wrote to memory of 624 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe conima.exe PID 4392 wrote to memory of 624 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe conima.exe PID 4392 wrote to memory of 3348 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe cmd.exe PID 4392 wrote to memory of 3348 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe cmd.exe PID 4392 wrote to memory of 3348 4392 401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe cmd.exe PID 1800 wrote to memory of 3108 1800 runonce.exe grpconv.exe PID 1800 wrote to memory of 3108 1800 runonce.exe grpconv.exe PID 1800 wrote to memory of 3108 1800 runonce.exe grpconv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe"C:\Users\Admin\AppData\Local\Temp\401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\temp\hujksrtjr.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵
-
C:\Windows\temp\conima.exeC:\Windows\temp\conima.exe -sysrun2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\temp\PvOLAgIQ.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\conima.exeFilesize
45KB
MD50825a8dc788a065f6c83bac0198704a3
SHA1c5e6eb4acee804a0ae1e3a0cdbb4d40dc5f7d736
SHA256401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16
SHA512d98ac956c651a1a95c96f35bc4fcb4e44e22ef8ec716559cd951c5255169ee7c5dfde5712f43834b965bb5012f18e43984131393f889d026a60c15475479adf6
-
C:\Windows\temp\PvOLAgIQ.batFilesize
254B
MD5115d9c2e2cad61389a11d505d63a2a5c
SHA1b6057702b3ea4e3b704bf1e15512a467acc60413
SHA2560b413b4fdbc849e420030b7d31b48e759979b48063fc543a474ff315ba2e7d18
SHA51235867931b869b094264c23f62df34eb79c7e0662c015f1f4e92eb480a10bfb178d4dd4fc05892ce655750f16b77d34576d637b1752a52196577a59a60e199146
-
C:\Windows\temp\conima.exeFilesize
45KB
MD50825a8dc788a065f6c83bac0198704a3
SHA1c5e6eb4acee804a0ae1e3a0cdbb4d40dc5f7d736
SHA256401024b77a10a777700ac9b74cf49ac5d0e5f0de6d78fa18a8ef9cd6e893ed16
SHA512d98ac956c651a1a95c96f35bc4fcb4e44e22ef8ec716559cd951c5255169ee7c5dfde5712f43834b965bb5012f18e43984131393f889d026a60c15475479adf6
-
C:\Windows\temp\hujksrtjr.infFilesize
371B
MD5cddafe5b551b7c4cbc4fa67d5de6e1ad
SHA1bde6279d749e7d0427dbe45d4094351c1f302dab
SHA256d0f25a7019458f54409a446c9614d6df14864df1d5d148ea4e818a0813980eb9
SHA5129e528dbaaf84cf4ef7a8931654e782a02396709311adcc756c42543d63966fd5517bb3f4c9dc9d99e7d6608ad676a44f388909ceac65bf98223167ab0a3a83e2
-
memory/624-138-0x0000000000000000-mapping.dmp
-
memory/624-143-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/624-148-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1800-137-0x0000000000000000-mapping.dmp
-
memory/3108-146-0x0000000000000000-mapping.dmp
-
memory/3348-144-0x0000000000000000-mapping.dmp
-
memory/3736-135-0x0000000000000000-mapping.dmp
-
memory/4392-134-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4392-147-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB