a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0

General

Target

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Size

110KB
MD5

263c4ff75d3326332d8726973b438dce
SHA1

5428f37be9496e116824942365f1e858532add63
SHA256

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0
SHA512

3e5126f60c7cdaad1835fe7bbd75c270ba5ce80fa2b86ec90afa2bb05cae7f3323bec0df444f4b8234570e9a63fe6da1907bd6e570e4ded8fa7cbe9b3dd0e970
SSDEEP

1536:gHZJpUtSkvNYa1zLQezA/i4g/JWVR/Yps6LaUIYgCcyvBZYwL3iQogA6Td2:gBUtSkvNYaLRi1QsItZLH

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

Executes dropped EXE 1 IoCs

Processes:

conima.exe

pid process

3208 conima.exe

pid	process
3208	conima.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exeRundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Input Manager = "C:\\Users\\Admin\\AppData\\Local\\conima.exe"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = "0"	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.execonima.exe

pid	process
732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
3208	conima.exe
3208	conima.exe
3208	conima.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exeRundll32.exerunonce.exe

description	pid	process	target process
PID 732 wrote to memory of 3628	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	Rundll32.exe
PID 732 wrote to memory of 3628	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	Rundll32.exe
PID 732 wrote to memory of 3628	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	Rundll32.exe
PID 3628 wrote to memory of 3392	3628	Rundll32.exe	runonce.exe
PID 3628 wrote to memory of 3392	3628	Rundll32.exe	runonce.exe
PID 3628 wrote to memory of 3392	3628	Rundll32.exe	runonce.exe
PID 732 wrote to memory of 3208	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	conima.exe
PID 732 wrote to memory of 3208	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	conima.exe
PID 732 wrote to memory of 3208	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	conima.exe
PID 732 wrote to memory of 2920	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	cmd.exe
PID 732 wrote to memory of 2920	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	cmd.exe
PID 732 wrote to memory of 2920	732	a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe	cmd.exe
PID 3392 wrote to memory of 3632	3392	runonce.exe	grpconv.exe
PID 3392 wrote to memory of 3632	3392	runonce.exe	grpconv.exe
PID 3392 wrote to memory of 3632	3392	runonce.exe	grpconv.exe

C:\Users\Admin\AppData\Local\Temp\a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
"C:\Users\Admin\AppData\Local\Temp\a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\hujksrtjr.inf
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
PID:3632

C:\Users\Admin\AppData\Local\conima.exe
C:\Users\Admin\AppData\Local\conima.exe -sysrun
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\0VTcnR7j.bat
2⤵
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0VTcnR7j.bat

Filesize
254B

MD5
7558009fda60fdc3cd956197342f3064

SHA1
1f3dbc558aefb182e7893a1f4ff71c1b0c1f3620

SHA256
4e334f2b09f3fdf73d6c40e52023261f29464e16de24f5f36228aae42f1a2460

SHA512
e245035381941a421cc2ad31b3b987201c9cf2041343194f7bf462140f6feb92b647d04a27881a481616f9de04a0ea957772c02bbbec5307c9b07c13f61fc2f8

Download Submit
C:\Users\Admin\AppData\Local\conima.exe

Filesize
110KB

MD5
263c4ff75d3326332d8726973b438dce

SHA1
5428f37be9496e116824942365f1e858532add63

SHA256
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0

SHA512
3e5126f60c7cdaad1835fe7bbd75c270ba5ce80fa2b86ec90afa2bb05cae7f3323bec0df444f4b8234570e9a63fe6da1907bd6e570e4ded8fa7cbe9b3dd0e970

Download Submit
C:\Users\Admin\AppData\Local\conima.exe

Filesize
110KB

MD5
263c4ff75d3326332d8726973b438dce

SHA1
5428f37be9496e116824942365f1e858532add63

SHA256
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0

SHA512
3e5126f60c7cdaad1835fe7bbd75c270ba5ce80fa2b86ec90afa2bb05cae7f3323bec0df444f4b8234570e9a63fe6da1907bd6e570e4ded8fa7cbe9b3dd0e970

Download Submit
C:\Users\Admin\AppData\Local\hujksrtjr.inf

Filesize
384B

MD5
a3007fea94fbfe818a9d97387a8dae8c

SHA1
782a426aa85aaf2780ccdee49b9ae1925911fb9f

SHA256
9bc9d908791e7a22a737a258e29e11d353548c69fe5c914b5919fe84ec1c80c3

SHA512
6c66cbc72ec8c5a30cc9aea812210963139ea7cfeedd0f36222d5017350a738d129c6c327215d979f448d093f06e0bf4b24a0fa80aaf9e75a56e434028610b75

Download Submit
memory/732-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/732-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2920-143-0x0000000000000000-mapping.dmp

Download
memory/3208-138-0x0000000000000000-mapping.dmp

Download
memory/3208-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3208-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3392-137-0x0000000000000000-mapping.dmp

Download
memory/3628-135-0x0000000000000000-mapping.dmp

Download
memory/3632-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads