117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe
Size

13KB
MD5

1434fef947d24fddc87a3ab2d391094d
SHA1

03197b83af1c6199ce35e21f2507e75004686eaf
SHA256

117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c
SHA512

83b07cb24f672d9a0fc92f1a1e7712cc01a01b8f7e7e6a7f642f5159c52658bb8fd8b8e5319a0e0529dd512b808ddbcae79e9693b6d06317167525bbf523e249
SSDEEP

192:4jPWgKRVzOJ4f9+hW+E1tWTUhOaQyzhRipwIFhg2n8cLZGxBEP4oynnWFg7:4j+gqzOJf4QryzhQpjrgpcLZGxBq40m

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1288	conime.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}	conime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}\ = "Ver933"	conime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}\stubpath = "C:\\WINDOWS\\Qedie\\conime.exe"	conime.exe

Deletes itself 1 IoCs

pid	Process
1288	conime.exe

Loads dropped DLL 1 IoCs

pid	Process
820	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	\??\c:\Program Files\933.txt	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\Qedie\conime.exe	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe
File opened for modification	C:\WINDOWS\Qedie\conime.exe	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 820	1284	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	27
PID 1284 wrote to memory of 820	1284	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	27
PID 1284 wrote to memory of 820	1284	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	27
PID 1284 wrote to memory of 820	1284	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	27
PID 820 wrote to memory of 1288	820	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	28
PID 820 wrote to memory of 1288	820	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	28
PID 820 wrote to memory of 1288	820	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	28
PID 820 wrote to memory of 1288	820	117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe	28

C:\Users\Admin\AppData\Local\Temp\117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe
"C:\Users\Admin\AppData\Local\Temp\117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe
  C:\Users\Admin\AppData\Local\Temp\117d9731b7b79e6815f4d0aab8dcdac44c290211a6f514a940d9626fe5b2050c.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\WINDOWS\Qedie\conime.exe
    C:\WINDOWS\Qedie\conime.exe
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Deletes itself
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Qedie\conime.exe

Filesize
24KB

MD5
9def403c36da18618ff4d9e439ef1f7e

SHA1
acfeab4def6d1fdd65829119f911280bd811426b

SHA256
015b677ccfc89c67ad263a4f42bfe3c20516a6c230d93c827d1b4b9ad020feaa

SHA512
3e798f35a1cddc3dbd8bee030d8e4f226748c9a2405138f34695c965269f7c97db21e33e16fd3773e97fe6905d6a5efa9d1ad238ab0b7966667a457046b09368

Download Submit
\??\c:\Program Files\933.txt

Filesize
102B

MD5
a9c39523ab72d048aeeed6e4de7e2969

SHA1
0029353c6885630597e356e9e7f86fc559fe625e

SHA256
60bb51b7f9cd292b316e9db1d70f4eb1d86006a711de1409ea1bb635e7e3c331

SHA512
523252a8eb1527fd49d34c77a71dce4d5e58ce8e71f01ebac6a2367da665c95730dea79b7afce47b271ce22492f0ee2960c3b8dc720e8ea784a25c3dec06568c

Download Submit
\Windows\Qedie\conime.exe

Filesize
24KB

MD5
9def403c36da18618ff4d9e439ef1f7e

SHA1
acfeab4def6d1fdd65829119f911280bd811426b

SHA256
015b677ccfc89c67ad263a4f42bfe3c20516a6c230d93c827d1b4b9ad020feaa

SHA512
3e798f35a1cddc3dbd8bee030d8e4f226748c9a2405138f34695c965269f7c97db21e33e16fd3773e97fe6905d6a5efa9d1ad238ab0b7966667a457046b09368

Download Submit
memory/820-54-0x0000000000000000-mapping.dmp

Download
memory/1288-56-0x0000000000000000-mapping.dmp

Download
memory/1288-59-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download