Overview

overview

8

Static

static

ConnectShe...11.exe

windows7-x64

8

ConnectShe...11.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    64s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2022 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConnectShellSetup11.exe

  • Size

    609KB

  • MD5

    00b6898bf01716f6fe6c1fc1e7256905

  • SHA1

    aedd9210f27091f9b8ad654b4558609c2688379d

  • SHA256

    919eca4e74525fe9a5caafcb0be729be64a9773d4607a2fb615f128f64b1faaf

  • SHA512

    48a0c45996f5165ccd86d2d6454f8738072f4911556e822a0ff6ba8f293802fca39290659c30a394796857bbe8734b6f9fa1bc74ef4dc66d16bb87643c9d18a5

  • SSDEEP

    12288:EA88Vmz5maLaNuGIoS30Dw6SVjgJfNJtPOu/u2/xLyRJWTLgRT06raYED/CyZeU/:EA3SeIvifNJxOuRTlN/CWuWO3A

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConnectShellSetup11.exe
    "C:\Users\Admin\AppData\Local\Temp\ConnectShellSetup11.exe"
    1⤵
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connectdetector.exe
      C:\Users\Admin\AppData\Roaming\Adobe\Connect\connectdetector.exe
      2⤵
      • Executes dropped EXE
      PID:4176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\ConnectDetector.exe
    Filesize

    644KB

    MD5

    77a4c18414964e80b8bbbadf52319578

    SHA1

    389a72b64274b2c171548a6c899d4bbb0ee17cdf

    SHA256

    1bb861dca97f170e7b454e136936a9838133ee7977887403f45362e019ba9f2f

    SHA512

    61acc7ab259975915d312e16f63781bb9c5b841da162e7f27e6174481eea2af31f64b44cb1d30269b5f36c42d1ecf49a91764754fb6e899b0582c8b5727709d9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connectdetector.exe
    Filesize

    644KB

    MD5

    77a4c18414964e80b8bbbadf52319578

    SHA1

    389a72b64274b2c171548a6c899d4bbb0ee17cdf

    SHA256

    1bb861dca97f170e7b454e136936a9838133ee7977887403f45362e019ba9f2f

    SHA512

    61acc7ab259975915d312e16f63781bb9c5b841da162e7f27e6174481eea2af31f64b44cb1d30269b5f36c42d1ecf49a91764754fb6e899b0582c8b5727709d9

    Download Submit

  • memory/4176-132-0x0000000000000000-mapping.dmp

    Download