fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c

General

Target

fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe
Size

131KB
MD5

155717a88626227ad8d01c821dbf71ab
SHA1

4622f32d8c97d5a457f4e9ad58aa153acd8cbfac
SHA256

fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c
SHA512

18e86d78578370279ec8d55e4da898f9194169ac4095a739e60c6d39978a7d5815f6069f5e30b3b59cbaa63c4cae7257ec8b1240300669cabf30811c9cf9da3f
SSDEEP

3072:Mc7q9xwhoUhRPkkWfZf5wX/gowJOLEnlywUaBbeWWiUNm:Mz9xwhlkkS+Xoow0mlywJ4a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
652	conlhost.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DisableLimit.tiff	conlhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-55-0x00000000003C0000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2020-56-0x00000000003C0000-0x0000000000428000-memory.dmp	upx
behavioral1/files/0x000700000001446b-57.dat	upx
behavioral1/files/0x000700000001446b-58.dat	upx
behavioral1/files/0x000700000001446b-60.dat	upx
behavioral1/memory/2020-61-0x00000000003C0000-0x0000000000428000-memory.dmp	upx
behavioral1/files/0x000700000001446b-62.dat	upx
behavioral1/memory/652-66-0x0000000000E80000-0x0000000000EE8000-memory.dmp	upx
behavioral1/memory/652-67-0x0000000000E80000-0x0000000000EE8000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1488	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe
2020	fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
9	ip-api.com

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 652	2020	fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe	28
PID 2020 wrote to memory of 652	2020	fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe	28
PID 2020 wrote to memory of 652	2020	fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe	28
PID 2020 wrote to memory of 652	2020	fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe	28
PID 652 wrote to memory of 1488	652	conlhost.exe	29
PID 652 wrote to memory of 1488	652	conlhost.exe	29
PID 652 wrote to memory of 1488	652	conlhost.exe	29
PID 652 wrote to memory of 1488	652	conlhost.exe	29
PID 652 wrote to memory of 1140	652	conlhost.exe	32
PID 652 wrote to memory of 1140	652	conlhost.exe	32
PID 652 wrote to memory of 1140	652	conlhost.exe	32
PID 652 wrote to memory of 1140	652	conlhost.exe	32
PID 652 wrote to memory of 1260	652	conlhost.exe	35
PID 652 wrote to memory of 1260	652	conlhost.exe	35
PID 652 wrote to memory of 1260	652	conlhost.exe	35
PID 652 wrote to memory of 1260	652	conlhost.exe	35

C:\Users\Admin\AppData\Local\Temp\fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe
"C:\Users\Admin\AppData\Local\Temp\fb373f456b75905018034f493768a17f9458a8e5a433d04c925c4d137724f22c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\users\Public\del.bat
    3⤵
    - Deletes itself
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1140
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\conlhost.exe

Filesize
131KB

MD5
82e6ab6bb94796773f12008419f33fa6

SHA1
fb9f0a7e4103c9849f02ea7ea76eecf367ca8d61

SHA256
0a4ec1eaeefe086e97785f139d91fdc04ef9e5d5e9d36bd4fd26b1546aceaa70

SHA512
38d6dd1b1eb5cfb977208230ba1e852cf7eec8200e899e5cc09994cf6ecfb7aa0161afbb0c431a89d1153088705402f2c9526a88d4584bb8dc0e8a30caac132c

Download Submit
C:\users\Public\conlhost.exe

Filesize
131KB

MD5
82e6ab6bb94796773f12008419f33fa6

SHA1
fb9f0a7e4103c9849f02ea7ea76eecf367ca8d61

SHA256
0a4ec1eaeefe086e97785f139d91fdc04ef9e5d5e9d36bd4fd26b1546aceaa70

SHA512
38d6dd1b1eb5cfb977208230ba1e852cf7eec8200e899e5cc09994cf6ecfb7aa0161afbb0c431a89d1153088705402f2c9526a88d4584bb8dc0e8a30caac132c

Download Submit
C:\users\Public\del.bat

Filesize
130B

MD5
27df80d0c3855146f671a51d1d35ea80

SHA1
3c0bc45e63a6e17e3784cff7e8af5464c501b358

SHA256
f38af3971c3832073b8af19659c31de7f0feaa9bd59412fa7d53720ca4d03221

SHA512
c93485930253912012f68b716262f1887b1dfed5323c1dd30613b9434b2d3a726a72c355cec00be184e44469079b9d3baead9bee5c661a1137d91a8463223fb9

Download Submit
\Users\Public\conlhost.exe

Filesize
131KB

MD5
82e6ab6bb94796773f12008419f33fa6

SHA1
fb9f0a7e4103c9849f02ea7ea76eecf367ca8d61

SHA256
0a4ec1eaeefe086e97785f139d91fdc04ef9e5d5e9d36bd4fd26b1546aceaa70

SHA512
38d6dd1b1eb5cfb977208230ba1e852cf7eec8200e899e5cc09994cf6ecfb7aa0161afbb0c431a89d1153088705402f2c9526a88d4584bb8dc0e8a30caac132c

Download Submit
\Users\Public\conlhost.exe

Filesize
131KB

MD5
82e6ab6bb94796773f12008419f33fa6

SHA1
fb9f0a7e4103c9849f02ea7ea76eecf367ca8d61

SHA256
0a4ec1eaeefe086e97785f139d91fdc04ef9e5d5e9d36bd4fd26b1546aceaa70

SHA512
38d6dd1b1eb5cfb977208230ba1e852cf7eec8200e899e5cc09994cf6ecfb7aa0161afbb0c431a89d1153088705402f2c9526a88d4584bb8dc0e8a30caac132c

Download Submit
memory/652-66-0x0000000000E80000-0x0000000000EE8000-memory.dmp

Filesize
416KB

Download
memory/652-67-0x0000000000E80000-0x0000000000EE8000-memory.dmp

Filesize
416KB

Download
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x00000000003C0000-0x0000000000428000-memory.dmp

Filesize
416KB

Download
memory/2020-56-0x00000000003C0000-0x0000000000428000-memory.dmp

Filesize
416KB

Download
memory/2020-55-0x00000000003C0000-0x0000000000428000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing