Analysis
-
max time kernel
60s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28/03/2023, 17:04
General
-
Target
conmie.exe
-
Size
72KB
-
MD5
e34083ce615c8309e240774cd31360df
-
SHA1
6364888de5306eedda0df8ed0abbfbdcafd5e9df
-
SHA256
2ec1d15f0e8c0ebcebc30951c9d48d1c29a50c64a3e7df41a300b3de2c73c6db
-
SHA512
0c1848587df81f15b0b869988370072fab4cef70d87496973dd7dd46d9dfdbb19a7d50428902f68f5d018316675d479b104d2dc40faa4b432028c894b0d9e22c
-
SSDEEP
768:Q4rq7S4u/XaZCK6KvPS/FKM3mwYeDGu0n49mV/zjT5tNvxnwHeLrsZkvimczUlhD:QqUZva9x3mHfhzjT5tF6He3nv7Pztn
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\conmie.exe"C:\Users\Admin\AppData\Local\Temp\conmie.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.0.568908037\1500474184" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc7d4dfe-798a-4084-b654-76a22aa2c159} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 1940 26250b16558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.1.670703831\1615603729" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {643cda4e-09a4-4e69-9a5a-c208c57c0c4e} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 2332 26242b6f858 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.2.1964234395\149527692" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e35d57a-6bdd-4b56-8ce4-672f0f50fecd} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 3020 26253809258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.3.749562244\138413352" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3556 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b79d903b-9f1d-45de-b6ce-13efdb6c69f6} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 1120 26252081458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.4.1664724000\1349805754" -childID 3 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9539b682-7f7f-4003-b018-ca8d5d356694} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 4032 26242b5be58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.5.862281035\939457161" -childID 4 -isForBrowser -prefsHandle 4704 -prefMapHandle 4728 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a86a2589-0b43-4398-8939-39f7cc231146} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 4228 262553db858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.7.1840727782\1236396377" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee5592c7-ac31-4abf-84ef-15f54c13b1ce} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 5304 26255c1f558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1836.6.147317288\1239413733" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c23138a4-1774-4f87-8b9c-c5f2cf6e66db} 1836 "\\.\pipe\gecko-crash-server-pipe.1836" 5084 26255c1fe58 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5421f1e566c589f4c3948599c2323f632
SHA1742f914fd82fb57967b0392aa87093178ee51736
SHA256f8a7d02ba57f7cd9948c3d49f28f2c2417568047e8cc4aec2211740ef80ba99f
SHA512efe4a7c1028a7b55aaf36f866ed20b9526bb760f4a6b35935329869b30745354e2c49902425fd7af4469a2e680758f06467cef8d8da2661126f772f8ef001697
-
Filesize
6KB
MD5f5dfa8a284a0aa090dede4b1c93b1b63
SHA1857329a11000cdfbd6c9a2336452eee43460c3b0
SHA2560bba4b803784713dd30e7ae0374ec946d31a4d0bc74fea80bac087fe87e0b76b
SHA512d0fcceafd8aec8475a858ff8d0e5ffdc49cf5467ae447fd1b6d7f0c727cd2ada901cbd6642b65a8ad4962e0bb1366692bf2683251afeebc8336d9995962de4c1
-
Filesize
6KB
MD50a425048736deaefe0ad70f4f7bf84ae
SHA10992bd620e46bf77f4b8f81cdbf81f85966dae36
SHA2564274f1c92f7dfd89ef9acb5888af2283e0503791fd00648228b8c2549e92347b
SHA512523c74133113ccc569fce7c02a7020b074524f9e9c2bd14210ce86f35ee1583e3cef32e11358db59219c4be6f02396119f8892f229f98061c29e4aa0a22ff78e
-
Filesize
6KB
MD5108b97b1ff7efbdb1aecce96d55ff2e5
SHA1bb72b2e0c3d859fe5e821632307a32df331b55e1
SHA256c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e
SHA512e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc
-
Filesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
Filesize
882B
MD50b682c5fa6f495977a45b077b62b7157
SHA1df020849031b4fa151d4c70cb7786654d347870d
SHA256101735eba89f82b52f7b883fd488be60e42c10ff2da6a660a49bedb3d92a6add
SHA512567d036a6ec507b51b21b762d1ced36186c647f08acda1753b6030b3f281ce6c97f515a2f80749d3d03eb366145f13327c577cdf49b42a60f0a61cb9238acc60