4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773

General

Target

4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe
Size

363KB
MD5

54919e1bd37c6431b3b1b8b6d53aabfe
SHA1

c2327bab84fa0d55cc23ee5006c83f0a6dc53e4c
SHA256

4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773
SHA512

9b1d07e28cc63075748d42c2afdac6f55332d35dcd791c93ecfbe73d5868c3fbc84558f0778358e576babb955210b4fc79a263fa703009ed247391ccc3790722
SSDEEP

6144:5aPIWVeTdJKsLxgcSNDQL5Q9VuwLmh0kdH371oe:5uTs1gBpQL5kmh0671oe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
892	conlhost.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DisableLimit.tiff	conlhost.exe

Deletes itself 1 IoCs

pid	Process
1868	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe
2020	4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 892	2020	4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe	28
PID 2020 wrote to memory of 892	2020	4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe	28
PID 2020 wrote to memory of 892	2020	4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe	28
PID 2020 wrote to memory of 892	2020	4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe	28
PID 892 wrote to memory of 1868	892	conlhost.exe	30
PID 892 wrote to memory of 1868	892	conlhost.exe	30
PID 892 wrote to memory of 1868	892	conlhost.exe	30
PID 892 wrote to memory of 1868	892	conlhost.exe	30
PID 892 wrote to memory of 1740	892	conlhost.exe	32
PID 892 wrote to memory of 1740	892	conlhost.exe	32
PID 892 wrote to memory of 1740	892	conlhost.exe	32
PID 892 wrote to memory of 1740	892	conlhost.exe	32
PID 892 wrote to memory of 1052	892	conlhost.exe	35
PID 892 wrote to memory of 1052	892	conlhost.exe	35
PID 892 wrote to memory of 1052	892	conlhost.exe	35
PID 892 wrote to memory of 1052	892	conlhost.exe	35

C:\Users\Admin\AppData\Local\Temp\4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe
"C:\Users\Admin\AppData\Local\Temp\4f60e0c2fc72ccd0d3daec562d158884ef4110c215c873c440fc10f8d0593773.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\users\Public\del.bat
    3⤵
    - Deletes itself
    PID:1868
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1740
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\conlhost.exe

Filesize
363KB

MD5
8546432aa039aa56e5cfc3a7745aaeb3

SHA1
7b9eed431f43c7111cf059a674d0f41a98478f24

SHA256
cd51a1210e58e2faa15e7be3395a7270e4aa2c8f632396a71cf99f3eb9a46ac1

SHA512
7903c1a2e1e533f0f0894af5327028ba485772535110c7544181b2df59fcb3a200f47948d65a697e8c0e66094307c8af5648534b0c7c7b3b6d80eb466c1b1ff2

Download Submit
C:\users\Public\conlhost.exe

Filesize
363KB

MD5
8546432aa039aa56e5cfc3a7745aaeb3

SHA1
7b9eed431f43c7111cf059a674d0f41a98478f24

SHA256
cd51a1210e58e2faa15e7be3395a7270e4aa2c8f632396a71cf99f3eb9a46ac1

SHA512
7903c1a2e1e533f0f0894af5327028ba485772535110c7544181b2df59fcb3a200f47948d65a697e8c0e66094307c8af5648534b0c7c7b3b6d80eb466c1b1ff2

Download Submit
C:\users\Public\del.bat

Filesize
130B

MD5
7a7b5ecbedf88d68ebaadc94b4d4aa28

SHA1
ddd995ab350655c23eac808d86102094bb8263d2

SHA256
efa0f89bf88e23b3de5931571c180ae80bd784b02ea1e5f433e84fe8d3fd9c82

SHA512
8b9b7829d05755106292f5d90cb1c483360a5e4c81d484f32521003b9f7f9dda6957a2a8c1de7e08a7bcf80980030ba79ff8838374834b96077f3f4288c87578

Download Submit
\Users\Public\conlhost.exe

Filesize
363KB

MD5
8546432aa039aa56e5cfc3a7745aaeb3

SHA1
7b9eed431f43c7111cf059a674d0f41a98478f24

SHA256
cd51a1210e58e2faa15e7be3395a7270e4aa2c8f632396a71cf99f3eb9a46ac1

SHA512
7903c1a2e1e533f0f0894af5327028ba485772535110c7544181b2df59fcb3a200f47948d65a697e8c0e66094307c8af5648534b0c7c7b3b6d80eb466c1b1ff2

Download Submit
\Users\Public\conlhost.exe

Filesize
363KB

MD5
8546432aa039aa56e5cfc3a7745aaeb3

SHA1
7b9eed431f43c7111cf059a674d0f41a98478f24

SHA256
cd51a1210e58e2faa15e7be3395a7270e4aa2c8f632396a71cf99f3eb9a46ac1

SHA512
7903c1a2e1e533f0f0894af5327028ba485772535110c7544181b2df59fcb3a200f47948d65a697e8c0e66094307c8af5648534b0c7c7b3b6d80eb466c1b1ff2

Download Submit
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing