af5b874e8069dbf2f2f8a411c31cc4eb1ca58ed05ef797e2cc1945eb4d1f6356

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0148b8ba1df6de0f1a76afaa800e4daa.exe
Size

67KB
MD5

0148b8ba1df6de0f1a76afaa800e4daa
SHA1

10f636fa8c79df9f48e42c15db8e141c61af63b6
SHA256

af5b874e8069dbf2f2f8a411c31cc4eb1ca58ed05ef797e2cc1945eb4d1f6356
SHA512

2b17359ddb851a24137868da3f57520a7dc0302e6a7ae501048c62bc3db837ffd3de667d12dacfbc56319d18c099592513d1e3688d66751fc83ee716a15206eb
SSDEEP

1536:ZwqPQJoyTVzmFc//////mY9spPGLaX4KvbSPW7nAb44nKpDG/:JIoQdcc//////4PJX4Kvx7Ab4sCy/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	conime.exe

Loads dropped DLL 2 IoCs

pid	Process
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qqmmck.vxd	conime.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\InProcServer32\ = "C:\\Windows\\SysWow64\\qqmmck.vxd"	conime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\InProcServer32\ThreadingModel = "Apartment"	conime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}	conime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\	conime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\InProcServer32	conime.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1664	0148b8ba1df6de0f1a76afaa800e4daa.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe
Token: SeDebugPrivilege	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2596	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	28
PID 1664 wrote to memory of 2596	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	28
PID 1664 wrote to memory of 2596	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	28
PID 1664 wrote to memory of 2596	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	28
PID 1664 wrote to memory of 2772	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	33
PID 1664 wrote to memory of 2772	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	33
PID 1664 wrote to memory of 2772	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	33
PID 1664 wrote to memory of 2772	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	33
PID 1664 wrote to memory of 2460	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	29
PID 1664 wrote to memory of 2460	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	29
PID 1664 wrote to memory of 2460	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	29
PID 1664 wrote to memory of 2460	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	29
PID 1664 wrote to memory of 2912	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	31
PID 1664 wrote to memory of 2912	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	31
PID 1664 wrote to memory of 2912	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	31
PID 1664 wrote to memory of 2912	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	31
PID 1664 wrote to memory of 2656	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	35
PID 1664 wrote to memory of 2656	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	35
PID 1664 wrote to memory of 2656	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	35
PID 1664 wrote to memory of 2656	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	35
PID 1664 wrote to memory of 2744	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	37
PID 1664 wrote to memory of 2744	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	37
PID 1664 wrote to memory of 2744	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	37
PID 1664 wrote to memory of 2744	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	37
PID 1664 wrote to memory of 2800	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	38
PID 1664 wrote to memory of 2800	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	38
PID 1664 wrote to memory of 2800	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	38
PID 1664 wrote to memory of 2800	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	38
PID 1664 wrote to memory of 2632	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	40
PID 1664 wrote to memory of 2632	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	40
PID 1664 wrote to memory of 2632	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	40
PID 1664 wrote to memory of 2632	1664	0148b8ba1df6de0f1a76afaa800e4daa.exe	40
PID 2656 wrote to memory of 1240	2656	net.exe	44
PID 2656 wrote to memory of 1240	2656	net.exe	44
PID 2656 wrote to memory of 1240	2656	net.exe	44
PID 2656 wrote to memory of 1240	2656	net.exe	44
PID 2460 wrote to memory of 2652	2460	net.exe	43
PID 2460 wrote to memory of 2652	2460	net.exe	43
PID 2460 wrote to memory of 2652	2460	net.exe	43
PID 2460 wrote to memory of 2652	2460	net.exe	43
PID 2744 wrote to memory of 2724	2744	net.exe	45
PID 2596 wrote to memory of 2900	2596	net.exe	46
PID 2596 wrote to memory of 2900	2596	net.exe	46
PID 2596 wrote to memory of 2900	2596	net.exe	46
PID 2744 wrote to memory of 2724	2744	net.exe	45
PID 2596 wrote to memory of 2900	2596	net.exe	46
PID 2744 wrote to memory of 2724	2744	net.exe	45
PID 2744 wrote to memory of 2724	2744	net.exe	45
PID 2772 wrote to memory of 2704	2772	net.exe	47
PID 2772 wrote to memory of 2704	2772	net.exe	47
PID 2772 wrote to memory of 2704	2772	net.exe	47
PID 2772 wrote to memory of 2704	2772	net.exe	47
PID 2912 wrote to memory of 2684	2912	net.exe	48
PID 2912 wrote to memory of 2684	2912	net.exe	48
PID 2912 wrote to memory of 2684	2912	net.exe	48
PID 2912 wrote to memory of 2684	2912	net.exe	48

C:\Users\Admin\AppData\Local\Temp\0148b8ba1df6de0f1a76afaa800e4daa.exe
"C:\Users\Admin\AppData\Local\Temp\0148b8ba1df6de0f1a76afaa800e4daa.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2900
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2652
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2684
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2704
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1240
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\conime.exe
  C:\Users\Admin\AppData\Local\Temp\conime.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\NTDUBECT.EXE
  2⤵
  - Deletes itself
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\conime.exe

Filesize
24KB

MD5
8397da239709b167fa29444149390586

SHA1
0e2c4d1ee53042e3e1554bbcda28c50309df8e80

SHA256
5aff8366ad9cbf3b4ae40eb3a198ac119cd1e94704b0da00fda4e8bd2a1f32fa

SHA512
7f64b716d0dc7da87359689693d3c17af875346610e2f6a8d5429b592a9196a38ac2fc1c3c1746449d69b5baecd2dc776cd470d653d55eed919df359ff439d57

Download Submit
memory/1664-11-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1664-8-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1664-12-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2800-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download