Overview

overview

7

Static

static

3

41b4a483d0...3d.exe

windows7-x64

7

41b4a483d0...3d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 22:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    41b4a483d0cbedd84770000b3504313d.exe

  • Size

    15KB

  • MD5

    41b4a483d0cbedd84770000b3504313d

  • SHA1

    9d90ff44990b13dfc7d8a966e3b98ca1a5456cc5

  • SHA256

    1483ce03b17463c12017853ab9f8c11e496a61289e6fe310f7551aedfe1b74c4

  • SHA512

    49bdac78845ed67aa2525a1a9bfd6c0391ac6ebb61121ddd754202ab2a6f204ff2305cb920abbc6dc9a13c2bc84922e620ff8fd3844d7e804394429425057ad1

  • SSDEEP

    384:WQouEuiOGSF55ZAT2kco5XszIG5uF03+nuU7E41B:WQo+uSjzj4XCVr3+L7EkB

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41b4a483d0cbedd84770000b3504313d.exe
    "C:\Users\Admin\AppData\Local\Temp\41b4a483d0cbedd84770000b3504313d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DSP.hta"
      2⤵
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im cfmon.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im cfmon.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im conlme.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im conlme.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
    • C:\Program Files (x86)\Common Files\session\conlme.exe
      "C:\Program Files (x86)\Common Files\session\conlme.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\41b4a483d0cbedd84770000b3504313d.exe"
      2⤵
      • Deletes itself
      PID:1492

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\session\conlme.exe
          Filesize

          910KB

          MD5

          0da2fa5f23199819afab0d3d9c617d47

          SHA1

          dd3eeb40622f6da2a7bc0bcf991d78cc4e29cfb6

          SHA256

          d1d1797002384f25ffc3e424b7adbf4f90234e7f65bd713f5b3b234726ea2f58

          SHA512

          68988f5b264d53848ef7b0fe2b5f90ed9bbdb1a3b494060bf8b0d0c17c6aeb22547a7c85f166634f66153068af75b6036120a261650bf86888b7c450522953db

          Download Submit

        • C:\Program Files (x86)\Common Files\session\conlme.exe
          Filesize

          748KB

          MD5

          3fa067f49c925b8f950359a96af0d7b2

          SHA1

          4648266e3735e1cb7c69117cef4758172ee9afff

          SHA256

          5e420840a808d7e1a042e667b8f6149ebbed7457aa8438f801fe7b704ce4a5d0

          SHA512

          739384b986f7cda4d42587b8c3a34a9603b1895b6ea980b9e960505779be319ca5383ed2a821fe8bdd6a88925a98c80f174a8faadc84be5897bc4bd259d0ae44

          Download Submit

        • C:\Program Files (x86)\DSP.hta
          Filesize

          799B

          MD5

          c7504050738d7e7c49ae38b325c6ddf9

          SHA1

          f1e4de627782cdaf76e4ef797ed2d8778f05fa00

          SHA256

          a0ee5fb73b97dadaf54b31db5452c83ddef349f04c50cba00d50d3bcd6a102da

          SHA512

          affc9e1cc5d7b53613738049110618f999f6307e802a66dfd42368c78f03fe82d5a4cdaba35ee8e1e341456a005f59b67f48435dbe865696a7b9275c1ec4b0d7

          Download Submit

        • \Program Files (x86)\Common Files\session\conlme.exe
          Filesize

          1.5MB

          MD5

          36adafc2d34ddd963a4d124e54c434b0

          SHA1

          d2c98c7fd3795f629729e652615fdf13c3f96337

          SHA256

          e804ae1e2b46d75bb865b766990b37095a38b478c0a2441980a3aa18605c9a97

          SHA512

          c7c3b4b4926bb20aae880a4633e404ad1b53d36623673ee088a6156bac3fa7f20970e1fe8b0124ddd8ad74c4a02b93020f00d5c5fa7e1d49538d95a5d1433bb9

          Download Submit

        • \Program Files (x86)\Common Files\session\conlme.exe
          Filesize

          941KB

          MD5

          64335b4cd16d8240f52cc14832062669

          SHA1

          f011e1fd26473fdf81020721e55df63a66d34bb0

          SHA256

          9c735f5aa6b13eccb9dc8f0a91653a603b8e3b2678c10ca51983b48e4752be3c

          SHA512

          30b0525ce07ae51da9fa0c91adfe0a3ad21a8bf1ad782369f4701fcb67ea010369e625329137a15c5113e78657f51a083fbfb5ce77221f0d90705d3ea197cee9

          Download Submit

        • memory/2300-15-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2300-17-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2640-0-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2640-1-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2640-13-0x0000000000410000-0x000000000041A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2640-16-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2640-18-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download