Overview

overview

7

Static

static

3

41b4a483d0...3d.exe

windows7-x64

7

41b4a483d0...3d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    116s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41b4a483d0cbedd84770000b3504313d.exe

  • Size

    15KB

  • MD5

    41b4a483d0cbedd84770000b3504313d

  • SHA1

    9d90ff44990b13dfc7d8a966e3b98ca1a5456cc5

  • SHA256

    1483ce03b17463c12017853ab9f8c11e496a61289e6fe310f7551aedfe1b74c4

  • SHA512

    49bdac78845ed67aa2525a1a9bfd6c0391ac6ebb61121ddd754202ab2a6f204ff2305cb920abbc6dc9a13c2bc84922e620ff8fd3844d7e804394429425057ad1

  • SSDEEP

    384:WQouEuiOGSF55ZAT2kco5XszIG5uF03+nuU7E41B:WQo+uSjzj4XCVr3+L7EkB

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41b4a483d0cbedd84770000b3504313d.exe
    "C:\Users\Admin\AppData\Local\Temp\41b4a483d0cbedd84770000b3504313d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\OVS.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:4804
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im cfmon.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im cfmon.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im conlme.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im conlme.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
    • C:\Program Files (x86)\Common Files\session\conlme.exe
      "C:\Program Files (x86)\Common Files\session\conlme.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3260
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\41b4a483d0cbedd84770000b3504313d.exe"
      2⤵
        PID:3144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\session\conlme.exe
      Filesize

      3.1MB

      MD5

      e6f212afcbe2adbc87178c7b1db0a804

      SHA1

      48384014a8b17fc63d8a6a705d510b4aa9b1bc5c

      SHA256

      02ab273d32ce3c1b7a13cb762871302f95017000107d8bea731016e8655a88d3

      SHA512

      e80b4a27d9fe73f7cf40d804cb4fb797c160a094a372ebba7079286ace4aae0986a46407daf95dee22df73856ff399731922a9d9e08d6d3c9ac5c13ff807b6ad

      Download Submit

    • C:\Program Files (x86)\Common Files\session\conlme.exe
      Filesize

      4.7MB

      MD5

      aeb134b42c454837da0caf8be744d5f6

      SHA1

      caac0493117a48adaa2643781865b8ea1a9be198

      SHA256

      7853ce44aa42c72aa0dddb69cfc7f2213312284b356aa23d6978d907582b0a2b

      SHA512

      e1bad12252e96cbd6485b739f1f76b6a80f1229f8fe125bf20e302166109ccb3a2c14b9fc72ed28142b66bc1d7d32d9cf829c50320d30c465153212cdd88aff3

      Download Submit

    • C:\Program Files (x86)\OVS.hta
      Filesize

      799B

      MD5

      c7504050738d7e7c49ae38b325c6ddf9

      SHA1

      f1e4de627782cdaf76e4ef797ed2d8778f05fa00

      SHA256

      a0ee5fb73b97dadaf54b31db5452c83ddef349f04c50cba00d50d3bcd6a102da

      SHA512

      affc9e1cc5d7b53613738049110618f999f6307e802a66dfd42368c78f03fe82d5a4cdaba35ee8e1e341456a005f59b67f48435dbe865696a7b9275c1ec4b0d7

      Download Submit

    • memory/1104-0-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1104-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1104-11-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3260-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3260-12-0x00000000001C0000-0x00000000001C1000-memory.dmp

      Filesize

      4KB

      Download