16289722625b4b7dca1583abfd39784900f5fec6c09429ade3b509cec508db6e

General

Target

398543f0a25bf6c544debda3bdaf5153.exe
Size

35KB
MD5

398543f0a25bf6c544debda3bdaf5153
SHA1

150672c8dc8dc4d839570b03b15be7b5d8b738df
SHA256

16289722625b4b7dca1583abfd39784900f5fec6c09429ade3b509cec508db6e
SHA512

5763dabb2238408fd615efaaa85900b575bd0f06fabc9abece41b898cc70b8533f96e9c8f83b9e0badc47b751baecf72e4f6f77866a80cddbc5349288d24c0ab
SSDEEP

768:xfLxDwNs+ypT0nGQcaw6GNhJ33/6P4oQ5G2/iS:xfLxD+s+ymnG/16GVH/M4f5G0

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\conimen.exe"	398543f0a25bf6c544debda3bdaf5153.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	398543f0a25bf6c544debda3bdaf5153.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	sychost.exe

Deletes itself 1 IoCs

pid	Process
1756	sychost.exe

Executes dropped EXE 3 IoCs

pid	Process
4048	ixplurer.exe
1756	sychost.exe
4760	conimen.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2900-0-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2900-1-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2900-27-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/files/0x0006000000023230-34.dat	upx
behavioral2/memory/4760-43-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\discard.ini	sychost.exe
File created	C:\Windows\SysWOW64\ixplurer.exe	398543f0a25bf6c544debda3bdaf5153.exe
File opened for modification	C:\Windows\SysWOW64\discard.ini	398543f0a25bf6c544debda3bdaf5153.exe
File created	C:\Windows\SysWOW64\Fsery.sys	398543f0a25bf6c544debda3bdaf5153.exe
File created	C:\Windows\SysWOW64\ssdtti.sys	398543f0a25bf6c544debda3bdaf5153.exe
File created	C:\Windows\SysWOW64\sychost.exe	398543f0a25bf6c544debda3bdaf5153.exe
File created	C:\Windows\SysWOW64\conimen.exe	sychost.exe
File opened for modification	C:\Windows\SysWOW64\conimen.exe	sychost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe
4760	conimen.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2900	398543f0a25bf6c544debda3bdaf5153.exe
Token: SeSystemtimePrivilege	4760	conimen.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2900	398543f0a25bf6c544debda3bdaf5153.exe
2900	398543f0a25bf6c544debda3bdaf5153.exe
4048	ixplurer.exe
4048	ixplurer.exe
1756	sychost.exe
4760	conimen.exe
4760	conimen.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 4048	2900	398543f0a25bf6c544debda3bdaf5153.exe	98
PID 2900 wrote to memory of 4048	2900	398543f0a25bf6c544debda3bdaf5153.exe	98
PID 2900 wrote to memory of 4048	2900	398543f0a25bf6c544debda3bdaf5153.exe	98
PID 2900 wrote to memory of 1756	2900	398543f0a25bf6c544debda3bdaf5153.exe	99
PID 2900 wrote to memory of 1756	2900	398543f0a25bf6c544debda3bdaf5153.exe	99
PID 2900 wrote to memory of 1756	2900	398543f0a25bf6c544debda3bdaf5153.exe	99
PID 1756 wrote to memory of 4760	1756	sychost.exe	101
PID 1756 wrote to memory of 4760	1756	sychost.exe	101
PID 1756 wrote to memory of 4760	1756	sychost.exe	101

C:\Users\Admin\AppData\Local\Temp\398543f0a25bf6c544debda3bdaf5153.exe
"C:\Users\Admin\AppData\Local\Temp\398543f0a25bf6c544debda3bdaf5153.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\ixplurer.exe
  "C:\Windows\system32\ixplurer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4048
- C:\Windows\SysWOW64\sychost.exe
  "C:\Windows\system32\sychost.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\conimen.exe
    "C:\Windows\system32\conimen.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\conimen.exe

Filesize
35KB

MD5
398543f0a25bf6c544debda3bdaf5153

SHA1
150672c8dc8dc4d839570b03b15be7b5d8b738df

SHA256
16289722625b4b7dca1583abfd39784900f5fec6c09429ade3b509cec508db6e

SHA512
5763dabb2238408fd615efaaa85900b575bd0f06fabc9abece41b898cc70b8533f96e9c8f83b9e0badc47b751baecf72e4f6f77866a80cddbc5349288d24c0ab

Download Submit
C:\Windows\SysWOW64\discard.ini

Filesize
91B

MD5
3d8d02dbc31761990f54646a21897ae9

SHA1
0db363fc7a08c2d29e697f47ad31943fdfb907c3

SHA256
aa50396c29e3ff3a15f37274d0f6fab6ac24477be2e708759fb05936be3cae3f

SHA512
0785279956222cac35e5a16e0dbce9f021abfde14a403eb57334a496c0d0811ae020f51075022c19c67b2df5274be8cc993adf5bffeb662f99e0e276cec76c19

Download Submit
C:\Windows\SysWOW64\discard.ini

Filesize
26B

MD5
d8ab3ea023fda33b8017ccc4748534f8

SHA1
e5c8b0f40ed03ad98f0d207ee073af2ee925db78

SHA256
14776c2d9c1446833752ec1c0686cc74bee4c3bd3036b3ad7cf51249ebe381ab

SHA512
0a6ab8641e77dcdc9b33e49462404aaf43ca549122d6fd5afc72448b5f50558859657d64d66d38415e752c05abaa225e545310986516eb1af0f691ff690ec5e0

Download Submit
C:\Windows\SysWOW64\ixplurer.exe

Filesize
20KB

MD5
29bb814094fbbe056f66305389d472d2

SHA1
053f532ba3c4adab30381b9caa895451dcbe7d5e

SHA256
785e8600b40c75f2953e07f24c44658ec1f4f766ed16f35d5b56d8a2771a8f1f

SHA512
797a7ced2df06bd4fe8641d8c10cb477e1ce6b1cfce59c3026ce15107903e6a23295e93f554257c45812341e70bf6b485cd4e12819cdaf6e6c37674baac8bb0b

Download Submit
C:\Windows\SysWOW64\ssdtti.sys

Filesize
1KB

MD5
ee068bde47ed2b188fd306e76b8667a8

SHA1
f3b6f2c6b9b6c669603e7446b14d572f918f856d

SHA256
a6e5a3be9c212e9854d31e72b44d40e1f0f675face507cc12cb4becdcd64ccd5

SHA512
51a5a7590fc1ddc1f417f347d1c2e69cd3a3c173a2466388169403fe3f4bac88f370dd7874173c6c522e0250d6fe4c077960d24e776738f81fbfbc5af134addf

Download Submit
C:\Windows\SysWOW64\sychost.exe

Filesize
20KB

MD5
c778a3b6c33d538af6278a42c837bed6

SHA1
125b82ba76ea5c3d0f2eedce1e8a4d3ba33a2c79

SHA256
be2c3ec48c42596d7fd17225e12a949d41e52be4e8ec11b31b7a85678a3679da

SHA512
a34321cf9ff4082f8eee6ec2b9065414ed9ab0a23e72b74566f5a5fe9523847c573fc7cd078046f37ca4d647dcc139c7e9b9092ac69599e41579ae874e3ceeab

Download Submit
memory/2900-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2900-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2900-27-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4760-43-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads