8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1

General

Target

8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe
Size

424KB
MD5

be71a43737fe449b1f23280c6d8b2c41
SHA1

8dc4b2be324495fb0590fff2b0435db5c8a0c966
SHA256

8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1
SHA512

b5a49369156762442468802daf5746be7d1cfcaf9291833fd8df1dc259717a4b3e924ef09aedc351dfb2fe89f4f9318d3808783268128ffcae1a1b7619985da0
SSDEEP

6144:JHEmrnWIHf5Kt4m6bkyotM4dxtsXgrNfl0EUl0srjnLoy:JHEmjH/5KtEbkRtM0jflnUWILoy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1164	conlhost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/896-55-0x00000000002F0000-0x000000000035E000-memory.dmp	upx
behavioral1/files/0x0007000000014124-56.dat	upx
behavioral1/files/0x0007000000014124-59.dat	upx
behavioral1/files/0x0007000000014124-57.dat	upx
behavioral1/memory/896-60-0x00000000002F0000-0x000000000035E000-memory.dmp	upx
behavioral1/files/0x0007000000014124-61.dat	upx
behavioral1/memory/1164-65-0x0000000000A00000-0x0000000000A6E000-memory.dmp	upx
behavioral1/memory/1164-66-0x0000000000A00000-0x0000000000A6E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
568	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
896	8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe
896	8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
11	ip-api.com

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1164	896	8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe	29
PID 896 wrote to memory of 1164	896	8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe	29
PID 896 wrote to memory of 1164	896	8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe	29
PID 896 wrote to memory of 1164	896	8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe	29
PID 1164 wrote to memory of 568	1164	conlhost.exe	30
PID 1164 wrote to memory of 568	1164	conlhost.exe	30
PID 1164 wrote to memory of 568	1164	conlhost.exe	30
PID 1164 wrote to memory of 568	1164	conlhost.exe	30
PID 1164 wrote to memory of 1808	1164	conlhost.exe	33
PID 1164 wrote to memory of 1808	1164	conlhost.exe	33
PID 1164 wrote to memory of 1808	1164	conlhost.exe	33
PID 1164 wrote to memory of 1808	1164	conlhost.exe	33
PID 1164 wrote to memory of 684	1164	conlhost.exe	36
PID 1164 wrote to memory of 684	1164	conlhost.exe	36
PID 1164 wrote to memory of 684	1164	conlhost.exe	36
PID 1164 wrote to memory of 684	1164	conlhost.exe	36

C:\Users\Admin\AppData\Local\Temp\8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe
"C:\Users\Admin\AppData\Local\Temp\8a785d77405ec5fa2a2809481d2ae3ccc39ebe9a22936b770ebf62aa4a6db8f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\users\Public\del.bat
    3⤵
    - Deletes itself
    PID:568
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:1808
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\conlhost.exe

Filesize
424KB

MD5
b2e6d8dfc9fd06583aab6d8aa91be999

SHA1
8d6aa1ec6ffe7dc7ad25cfd614cabcbfd41e7529

SHA256
f758632a1ef18cec2463cb339221815517b725f93cead3d7186531c35c4a6a9d

SHA512
d28687d3dc39946421d27dc80ae929e14287787bb9be6163d89d6a4b3757431d5ed7ac3ffb71a179ad8d3672e3aa5f9256443f54e701d163702076b35b354b14

Download Submit
C:\users\Public\conlhost.exe

Filesize
424KB

MD5
b2e6d8dfc9fd06583aab6d8aa91be999

SHA1
8d6aa1ec6ffe7dc7ad25cfd614cabcbfd41e7529

SHA256
f758632a1ef18cec2463cb339221815517b725f93cead3d7186531c35c4a6a9d

SHA512
d28687d3dc39946421d27dc80ae929e14287787bb9be6163d89d6a4b3757431d5ed7ac3ffb71a179ad8d3672e3aa5f9256443f54e701d163702076b35b354b14

Download Submit
C:\users\Public\del.bat

Filesize
130B

MD5
5f5cdfa10f443290999bfe35ac997d0b

SHA1
dd6fbb8e678bbd62867de564f74512b8e8a9ac95

SHA256
66c631449f3e2dff233d83e5ad1bc88c0a021da94731c95e35990f470a4328ab

SHA512
513efc02cdd3446d6502040ddf83f5af9f513a39d02fdf4ee8b850f0db6879ffb9f2885f60657e909cc556d82e3aef05750e33ea716c51b6183ffc3701c14614

Download Submit
\Users\Public\conlhost.exe

Filesize
424KB

MD5
b2e6d8dfc9fd06583aab6d8aa91be999

SHA1
8d6aa1ec6ffe7dc7ad25cfd614cabcbfd41e7529

SHA256
f758632a1ef18cec2463cb339221815517b725f93cead3d7186531c35c4a6a9d

SHA512
d28687d3dc39946421d27dc80ae929e14287787bb9be6163d89d6a4b3757431d5ed7ac3ffb71a179ad8d3672e3aa5f9256443f54e701d163702076b35b354b14

Download Submit
\Users\Public\conlhost.exe

Filesize
424KB

MD5
b2e6d8dfc9fd06583aab6d8aa91be999

SHA1
8d6aa1ec6ffe7dc7ad25cfd614cabcbfd41e7529

SHA256
f758632a1ef18cec2463cb339221815517b725f93cead3d7186531c35c4a6a9d

SHA512
d28687d3dc39946421d27dc80ae929e14287787bb9be6163d89d6a4b3757431d5ed7ac3ffb71a179ad8d3672e3aa5f9256443f54e701d163702076b35b354b14

Download Submit
memory/896-60-0x00000000002F0000-0x000000000035E000-memory.dmp

Filesize
440KB

Download
memory/896-55-0x00000000002F0000-0x000000000035E000-memory.dmp

Filesize
440KB

Download
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1164-65-0x0000000000A00000-0x0000000000A6E000-memory.dmp

Filesize
440KB

Download
memory/1164-66-0x0000000000A00000-0x0000000000A6E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing