2417b0e8e7c8315305c8bfcb9ba40a2c04ed3ede89984e78fe7a1ba2cb2f2eaf

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85dd4afe633b82ea05601b638e8cdcd6.exe
Size

34KB
MD5

85dd4afe633b82ea05601b638e8cdcd6
SHA1

f9e502ba6e3419a2de4f1799fc9444349a088508
SHA256

2417b0e8e7c8315305c8bfcb9ba40a2c04ed3ede89984e78fe7a1ba2cb2f2eaf
SHA512

dd6a95a5bc9f68f38267f9bb4da804bc3ba75f2c3eeea25c6bfc4ad9283dcc5e86ba673c1ce7f914f7d2c5e67699b372c1ed3261edc16bbdb364a21e81c41c06
SSDEEP

768:h3JWSrLMBZ1Bi24X7pyH0VWNm4qU2gin1oghX0AenbcuyD7U0:pJliAXVtVWNm4qWM5Ednouy8

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4620	conime.exe
1392	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4740-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/4740-11-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\svchost.exe	conime.exe
File opened for modification	C:\Windows\SysWOW64\IME\svchost.exe	conime.exe
File created	C:\Windows\SysWOW64\IME\svchost.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\SOUNDMAN.EXE	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe
4740	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4740	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	85dd4afe633b82ea05601b638e8cdcd6.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4620	4740	85dd4afe633b82ea05601b638e8cdcd6.exe	85
PID 4740 wrote to memory of 4620	4740	85dd4afe633b82ea05601b638e8cdcd6.exe	85
PID 4740 wrote to memory of 4620	4740	85dd4afe633b82ea05601b638e8cdcd6.exe	85
PID 4620 wrote to memory of 1392	4620	conime.exe	86
PID 4620 wrote to memory of 1392	4620	conime.exe	86
PID 4620 wrote to memory of 1392	4620	conime.exe	86
PID 4620 wrote to memory of 2768	4620	conime.exe	87
PID 4620 wrote to memory of 2768	4620	conime.exe	87
PID 4620 wrote to memory of 2768	4620	conime.exe	87

C:\Users\Admin\AppData\Local\Temp\85dd4afe633b82ea05601b638e8cdcd6.exe
"C:\Users\Admin\AppData\Local\Temp\85dd4afe633b82ea05601b638e8cdcd6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\conime.exe
  C:\Users\Admin\AppData\Local\Temp\conime.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\IME\svchost.exe
    "C:\Windows\system32\IME\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\rs.bat C:\Users\Admin\AppData\Local\Temp\conime.exe
    3⤵
    PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\conime.exe

Filesize
16KB

MD5
579f1f288e84dee349360b17a6e2681c

SHA1
0cd9b1cd201f3c481d62b360fce4565e26de033c

SHA256
d749caccffa900211c045166e36d69ed3c8edc47326faa8d2156215f98824105

SHA512
c80571ddb250ad020524bf7be8629912a599abb201da2b95345ecd35260ce99aa13d1585ce0f8ab4e70e821721cd321afd31af3a056145e0cb2187491932827d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rs.bat

Filesize
105B

MD5
c33c3bd528b74ef8e010cd3b5f3950aa

SHA1
c8fafd5f2a514aaf64259565aaae8d0450444be3

SHA256
4a9b066077e5b57aaf2d54e23c023ed6558b89d4955a0f94e5c39257ad7e9df8

SHA512
92e85b2a6ea5d06b9258f37ded20605807fd26ec3b402452e90cde26148f05b609f336e6844b92d0357e84ba462ba9acab7ea1ee3de1693b7955301f458e87c9

Download Submit
memory/4740-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4740-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download