Analysis
-
max time kernel
186s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:02
Static task
static1
Behavioral task
behavioral1
Sample
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
Resource
win10v2004-20221111-en
General
-
Target
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe
-
Size
110KB
-
MD5
263c4ff75d3326332d8726973b438dce
-
SHA1
5428f37be9496e116824942365f1e858532add63
-
SHA256
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0
-
SHA512
3e5126f60c7cdaad1835fe7bbd75c270ba5ce80fa2b86ec90afa2bb05cae7f3323bec0df444f4b8234570e9a63fe6da1907bd6e570e4ded8fa7cbe9b3dd0e970
-
SSDEEP
1536:gHZJpUtSkvNYa1zLQezA/i4g/JWVR/Yps6LaUIYgCcyvBZYwL3iQogA6Td2:gBUtSkvNYaLRi1QsItZLH
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe -
Executes dropped EXE 1 IoCs
Processes:
conima.exepid process 3208 conima.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exeRundll32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Input Manager = "C:\\Users\\Admin\\AppData\\Local\\conima.exe" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe -
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = "0" a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.execonima.exepid process 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe 3208 conima.exe 3208 conima.exe 3208 conima.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exeRundll32.exerunonce.exedescription pid process target process PID 732 wrote to memory of 3628 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Rundll32.exe PID 732 wrote to memory of 3628 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Rundll32.exe PID 732 wrote to memory of 3628 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe Rundll32.exe PID 3628 wrote to memory of 3392 3628 Rundll32.exe runonce.exe PID 3628 wrote to memory of 3392 3628 Rundll32.exe runonce.exe PID 3628 wrote to memory of 3392 3628 Rundll32.exe runonce.exe PID 732 wrote to memory of 3208 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe conima.exe PID 732 wrote to memory of 3208 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe conima.exe PID 732 wrote to memory of 3208 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe conima.exe PID 732 wrote to memory of 2920 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe cmd.exe PID 732 wrote to memory of 2920 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe cmd.exe PID 732 wrote to memory of 2920 732 a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe cmd.exe PID 3392 wrote to memory of 3632 3392 runonce.exe grpconv.exe PID 3392 wrote to memory of 3632 3392 runonce.exe grpconv.exe PID 3392 wrote to memory of 3632 3392 runonce.exe grpconv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe"C:\Users\Admin\AppData\Local\Temp\a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\hujksrtjr.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:3632
-
C:\Users\Admin\AppData\Local\conima.exeC:\Users\Admin\AppData\Local\conima.exe -sysrun2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\0VTcnR7j.bat2⤵PID:2920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254B
MD57558009fda60fdc3cd956197342f3064
SHA11f3dbc558aefb182e7893a1f4ff71c1b0c1f3620
SHA2564e334f2b09f3fdf73d6c40e52023261f29464e16de24f5f36228aae42f1a2460
SHA512e245035381941a421cc2ad31b3b987201c9cf2041343194f7bf462140f6feb92b647d04a27881a481616f9de04a0ea957772c02bbbec5307c9b07c13f61fc2f8
-
Filesize
110KB
MD5263c4ff75d3326332d8726973b438dce
SHA15428f37be9496e116824942365f1e858532add63
SHA256a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0
SHA5123e5126f60c7cdaad1835fe7bbd75c270ba5ce80fa2b86ec90afa2bb05cae7f3323bec0df444f4b8234570e9a63fe6da1907bd6e570e4ded8fa7cbe9b3dd0e970
-
Filesize
110KB
MD5263c4ff75d3326332d8726973b438dce
SHA15428f37be9496e116824942365f1e858532add63
SHA256a9ec894d386d83f0e650b89dbaa2709c45542631cb570f6244ed37d6cc96c0d0
SHA5123e5126f60c7cdaad1835fe7bbd75c270ba5ce80fa2b86ec90afa2bb05cae7f3323bec0df444f4b8234570e9a63fe6da1907bd6e570e4ded8fa7cbe9b3dd0e970
-
Filesize
384B
MD5a3007fea94fbfe818a9d97387a8dae8c
SHA1782a426aa85aaf2780ccdee49b9ae1925911fb9f
SHA2569bc9d908791e7a22a737a258e29e11d353548c69fe5c914b5919fe84ec1c80c3
SHA5126c66cbc72ec8c5a30cc9aea812210963139ea7cfeedd0f36222d5017350a738d129c6c327215d979f448d093f06e0bf4b24a0fa80aaf9e75a56e434028610b75