7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600

General

Target

7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe
Size

368KB
MD5

dc4ae2105938cb68c5b6988465e13da1
SHA1

4bf9313e1b4f51df9b94cf73e36adb53f8c29ac0
SHA256

7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600
SHA512

02ad76fcda95f5fc06bc8c5f0fa7e103379f7001e05f1bb23bfe1e67262bda8b045ae1f317569aa30a44566bf26bcb487ec9319f1a51fff79d57c40612b1bdf7
SSDEEP

6144:/aPIWVeTdJKsLxgcSNDQL5Q9VuwLmh0kdH371o0:/uTs1gBpQL5kmh0671o0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	conlhost.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertFromSearch.tiff	conlhost.exe
File opened for modification	C:\Users\Admin\Pictures\DebugUnregister.tiff	conlhost.exe

Deletes itself 1 IoCs

pid	Process
1700	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe
2036	7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1228	2036	7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe	30
PID 2036 wrote to memory of 1228	2036	7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe	30
PID 2036 wrote to memory of 1228	2036	7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe	30
PID 2036 wrote to memory of 1228	2036	7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe	30
PID 1228 wrote to memory of 1700	1228	conlhost.exe	31
PID 1228 wrote to memory of 1700	1228	conlhost.exe	31
PID 1228 wrote to memory of 1700	1228	conlhost.exe	31
PID 1228 wrote to memory of 1700	1228	conlhost.exe	31
PID 1228 wrote to memory of 1764	1228	conlhost.exe	34
PID 1228 wrote to memory of 1764	1228	conlhost.exe	34
PID 1228 wrote to memory of 1764	1228	conlhost.exe	34
PID 1228 wrote to memory of 1764	1228	conlhost.exe	34
PID 1228 wrote to memory of 1568	1228	conlhost.exe	37
PID 1228 wrote to memory of 1568	1228	conlhost.exe	37
PID 1228 wrote to memory of 1568	1228	conlhost.exe	37
PID 1228 wrote to memory of 1568	1228	conlhost.exe	37

C:\Users\Admin\AppData\Local\Temp\7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe
"C:\Users\Admin\AppData\Local\Temp\7138cd509c6c098feaf4128f7ed5b74a74a646e45137c6550f1231dbdac22600.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\users\Public\del.bat
    3⤵
    - Deletes itself
    PID:1700
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1764
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\conlhost.exe

Filesize
368KB

MD5
94ff892ae7927856c2ebff32bcf5704f

SHA1
c19dda93b4d32e3a8976b9f61a98f9e932e3dfcb

SHA256
3a604b4069f67b3ff933ac253e6ce3be2ae883584a69ff4512b1b0ee9c76d74b

SHA512
4419d43b86c0fec197669d563a1bd3d12f512c8e912e996ab8000d8e006f5d4d9e3b6fdb1325c092103e6f3078829dc5aad99de9d92e4f7b3b66eaf0024ebdcb

Download Submit
C:\users\Public\conlhost.exe

Filesize
368KB

MD5
94ff892ae7927856c2ebff32bcf5704f

SHA1
c19dda93b4d32e3a8976b9f61a98f9e932e3dfcb

SHA256
3a604b4069f67b3ff933ac253e6ce3be2ae883584a69ff4512b1b0ee9c76d74b

SHA512
4419d43b86c0fec197669d563a1bd3d12f512c8e912e996ab8000d8e006f5d4d9e3b6fdb1325c092103e6f3078829dc5aad99de9d92e4f7b3b66eaf0024ebdcb

Download Submit
C:\users\Public\del.bat

Filesize
130B

MD5
c56da57d7cd38194bb77cf4af01c1303

SHA1
83d8aa6a0a1907d4b75f924d72a66ff4060adf93

SHA256
6a33e468731a7cf2265edd54e4275abcbef829d53f2557d0c2261175962a09f0

SHA512
51fbed1701adca7d915b302a01c01362cbc1e1a0b7f21615247d86a0defc1ca1af1a252bb5f0389390a0161a17d3675c29460383783aa29fbcc4bafe14eebdb4

Download Submit
\Users\Public\conlhost.exe

Filesize
368KB

MD5
94ff892ae7927856c2ebff32bcf5704f

SHA1
c19dda93b4d32e3a8976b9f61a98f9e932e3dfcb

SHA256
3a604b4069f67b3ff933ac253e6ce3be2ae883584a69ff4512b1b0ee9c76d74b

SHA512
4419d43b86c0fec197669d563a1bd3d12f512c8e912e996ab8000d8e006f5d4d9e3b6fdb1325c092103e6f3078829dc5aad99de9d92e4f7b3b66eaf0024ebdcb

Download Submit
\Users\Public\conlhost.exe

Filesize
368KB

MD5
94ff892ae7927856c2ebff32bcf5704f

SHA1
c19dda93b4d32e3a8976b9f61a98f9e932e3dfcb

SHA256
3a604b4069f67b3ff933ac253e6ce3be2ae883584a69ff4512b1b0ee9c76d74b

SHA512
4419d43b86c0fec197669d563a1bd3d12f512c8e912e996ab8000d8e006f5d4d9e3b6fdb1325c092103e6f3078829dc5aad99de9d92e4f7b3b66eaf0024ebdcb

Download Submit
memory/1228-57-0x0000000000000000-mapping.dmp

Download
memory/1568-64-0x0000000000000000-mapping.dmp

Download
memory/1700-61-0x0000000000000000-mapping.dmp

Download
memory/1764-63-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing