2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

Analysis

max time kernel
153s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_vti_cnf.exe
Size

477KB
MD5

34e03669773d47d0d8f01be78ae484e4
SHA1

4b0a7e2af2c28ae191737ba07632ed354d35c978
SHA256

2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572
SHA512

8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f
SSDEEP

6144:ZvZ2iKiZ/QAKVfiROzkViZwc0W/1vNuMqTp/CelAaWjSZ/nnnKCXP7:J7wVfiRuqPW/dgMqIHdjSFnnKCX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe RVHOST.exe"	_vti_cnf.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	_vti_cnf.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Windows\CurrentVersion\Run	_vti_cnf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\RVHOST.exe"	_vti_cnf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RVHOST.exe	_vti_cnf.exe
File opened for modification	C:\Windows\SysWOW64\RVHOST.exe	_vti_cnf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RVHOST.exe	_vti_cnf.exe
File opened for modification	C:\Windows\RVHOST.exe	_vti_cnf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2228	4908	_vti_cnf.exe	82
PID 4908 wrote to memory of 2228	4908	_vti_cnf.exe	82
PID 4908 wrote to memory of 2228	4908	_vti_cnf.exe	82
PID 2228 wrote to memory of 396	2228	cmd.exe	84
PID 2228 wrote to memory of 396	2228	cmd.exe	84
PID 2228 wrote to memory of 396	2228	cmd.exe	84
PID 4908 wrote to memory of 1172	4908	_vti_cnf.exe	85
PID 4908 wrote to memory of 1172	4908	_vti_cnf.exe	85
PID 4908 wrote to memory of 1172	4908	_vti_cnf.exe	85
PID 1172 wrote to memory of 1692	1172	cmd.exe	87
PID 1172 wrote to memory of 1692	1172	cmd.exe	87
PID 1172 wrote to memory of 1692	1172	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\_vti_cnf.exe
"C:\Users\Admin\AppData\Local\Temp\_vti_cnf.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
    3⤵
    PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4908-133-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4908-139-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads