Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 19:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0148b8ba1df6de0f1a76afaa800e4daa.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
0148b8ba1df6de0f1a76afaa800e4daa.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0148b8ba1df6de0f1a76afaa800e4daa.exe
-
Size
67KB
-
MD5
0148b8ba1df6de0f1a76afaa800e4daa
-
SHA1
10f636fa8c79df9f48e42c15db8e141c61af63b6
-
SHA256
af5b874e8069dbf2f2f8a411c31cc4eb1ca58ed05ef797e2cc1945eb4d1f6356
-
SHA512
2b17359ddb851a24137868da3f57520a7dc0302e6a7ae501048c62bc3db837ffd3de667d12dacfbc56319d18c099592513d1e3688d66751fc83ee716a15206eb
-
SSDEEP
1536:ZwqPQJoyTVzmFc//////mY9spPGLaX4KvbSPW7nAb44nKpDG/:JIoQdcc//////4PJX4Kvx7Ab4sCy/
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4408 conime.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\qqmmck.vxd conime.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\InProcServer32 conime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\InProcServer32\ = "C:\\Windows\\SysWow64\\qqmmck.vxd" conime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\InProcServer32\ThreadingModel = "Apartment" conime.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F} conime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B1E826-2EEF-45B5-87C8-7639C7C9935F}\ conime.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 64 0148b8ba1df6de0f1a76afaa800e4daa.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 64 0148b8ba1df6de0f1a76afaa800e4daa.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe Token: SeDebugPrivilege 64 0148b8ba1df6de0f1a76afaa800e4daa.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 64 wrote to memory of 5548 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 40 PID 64 wrote to memory of 5548 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 40 PID 64 wrote to memory of 5548 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 40 PID 64 wrote to memory of 3632 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 39 PID 64 wrote to memory of 3632 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 39 PID 64 wrote to memory of 3632 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 39 PID 64 wrote to memory of 1932 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 38 PID 64 wrote to memory of 1932 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 38 PID 64 wrote to memory of 1932 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 38 PID 64 wrote to memory of 2664 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 34 PID 64 wrote to memory of 2664 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 34 PID 64 wrote to memory of 2664 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 34 PID 64 wrote to memory of 2616 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 32 PID 64 wrote to memory of 2616 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 32 PID 64 wrote to memory of 2616 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 32 PID 64 wrote to memory of 3336 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 31 PID 64 wrote to memory of 3336 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 31 PID 64 wrote to memory of 3336 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 31 PID 64 wrote to memory of 4408 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 30 PID 64 wrote to memory of 4408 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 30 PID 64 wrote to memory of 4408 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 30 PID 64 wrote to memory of 3488 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 27 PID 64 wrote to memory of 3488 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 27 PID 64 wrote to memory of 3488 64 0148b8ba1df6de0f1a76afaa800e4daa.exe 27 PID 1932 wrote to memory of 2660 1932 net.exe 26 PID 1932 wrote to memory of 2660 1932 net.exe 26 PID 1932 wrote to memory of 2660 1932 net.exe 26 PID 3632 wrote to memory of 400 3632 net.exe 25 PID 3632 wrote to memory of 400 3632 net.exe 25 PID 3632 wrote to memory of 400 3632 net.exe 25 PID 2664 wrote to memory of 5600 2664 net.exe 24 PID 2664 wrote to memory of 5600 2664 net.exe 24 PID 2664 wrote to memory of 5600 2664 net.exe 24 PID 5548 wrote to memory of 6100 5548 net.exe 23 PID 5548 wrote to memory of 6100 5548 net.exe 23 PID 5548 wrote to memory of 6100 5548 net.exe 23 PID 3336 wrote to memory of 5596 3336 net.exe 22 PID 3336 wrote to memory of 5596 3336 net.exe 22 PID 3336 wrote to memory of 5596 3336 net.exe 22 PID 2616 wrote to memory of 2284 2616 net.exe 21 PID 2616 wrote to memory of 2284 2616 net.exe 21 PID 2616 wrote to memory of 2284 2616 net.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\0148b8ba1df6de0f1a76afaa800e4daa.exe"C:\Users\Admin\AppData\Local\Temp\0148b8ba1df6de0f1a76afaa800e4daa.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\cmd.execmd /c del C:\NTDUBECT.EXE2⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\conime.exeC:\Users\Admin\AppData\Local\Temp\conime.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4408
-
-
C:\Windows\SysWOW64\net.exenet stop System Restore Service2⤵
- Suspicious use of WriteProcessMemory
PID:3336
-
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- Suspicious use of WriteProcessMemory
PID:2616
-
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:2664
-
-
C:\Windows\SysWOW64\net.exenet stop System Restore Service2⤵
- Suspicious use of WriteProcessMemory
PID:1932
-
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- Suspicious use of WriteProcessMemory
PID:3632
-
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:5548
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"1⤵PID:2284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop System Restore Service1⤵PID:5596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"1⤵PID:6100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"1⤵PID:5600
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"1⤵PID:400
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop System Restore Service1⤵PID:2660
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD58397da239709b167fa29444149390586
SHA10e2c4d1ee53042e3e1554bbcda28c50309df8e80
SHA2565aff8366ad9cbf3b4ae40eb3a198ac119cd1e94704b0da00fda4e8bd2a1f32fa
SHA5127f64b716d0dc7da87359689693d3c17af875346610e2f6a8d5429b592a9196a38ac2fc1c3c1746449d69b5baecd2dc776cd470d653d55eed919df359ff439d57