57a44cee41c411e80eb9973b2c08e885d7c7728fab8b2a11c8f69ac34819cb1e

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_57673646ad921457184027ba1ecd795e_7ev3n.exe
Size

363KB
MD5

57673646ad921457184027ba1ecd795e
SHA1

f2b77d90d84170a7a293b80cfa0e35a49d677a3d
SHA256

57a44cee41c411e80eb9973b2c08e885d7c7728fab8b2a11c8f69ac34819cb1e
SHA512

d25ac916a5d866deb71fc06186d79f4071b698a5bd529144b97b73dba594a671fceb46a97ef8d543c4d4f5075f3d8519327b6f00f7aeda98a1058d820b65735f
SSDEEP

6144:5aPIWVeTdJKsLxgcSNDQL5Q9VuwLmh0kdH371oF:5uTs1gBpQL5kmh0671oF

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1952	conlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 1952	4500	2024-06-11_57673646ad921457184027ba1ecd795e_7ev3n.exe	90
PID 4500 wrote to memory of 1952	4500	2024-06-11_57673646ad921457184027ba1ecd795e_7ev3n.exe	90
PID 4500 wrote to memory of 1952	4500	2024-06-11_57673646ad921457184027ba1ecd795e_7ev3n.exe	90
PID 1952 wrote to memory of 460	1952	conlhost.exe	91
PID 1952 wrote to memory of 460	1952	conlhost.exe	91
PID 1952 wrote to memory of 460	1952	conlhost.exe	91
PID 1952 wrote to memory of 4916	1952	conlhost.exe	94
PID 1952 wrote to memory of 4916	1952	conlhost.exe	94
PID 1952 wrote to memory of 4916	1952	conlhost.exe	94
PID 1952 wrote to memory of 2212	1952	conlhost.exe	97
PID 1952 wrote to memory of 2212	1952	conlhost.exe	97
PID 1952 wrote to memory of 2212	1952	conlhost.exe	97

C:\Users\Admin\AppData\Local\Temp\2024-06-11_57673646ad921457184027ba1ecd795e_7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_57673646ad921457184027ba1ecd795e_7ev3n.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\users\Public\del.bat
    3⤵
    PID:460
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:4916
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\FILES_BACK.txt

Filesize
177B

MD5
fc605d0a0029f229d0ed645293ece316

SHA1
9ee4a83cd232b15790107ebbb98b4b515839f219

SHA256
a2a678d59020d212a1ec32810466b9a2bc4d17fcfff8edd6c07c5aa8ef15b25f

SHA512
2e43a1bbb43f9371cfcdcf550a205bb123a2facf17cbdd180591eb7a7c3ee75b5aae0a59654898814e4dee9d7bdf4ff3f6b50a37f0fbd5252865a23655b261e1

Download Submit
C:\Users\Public\conlhost.exe

Filesize
363KB

MD5
bf8cfbee812fee5034d911443b97be76

SHA1
056ecd825309219e211baff06655008d72f46531

SHA256
25fca6cd7b5092a8c74b1725c7c7c64efa9fb9544eacb30ade7c478b7e82beb6

SHA512
d2417a798e77dc67728bf9ec369e18a096050dc581d6c5caceeac986d264b6f256c925b6e6390609d517f9fa2b4e337d5ed5914ad5194a6b9ad04bc5ecaa54c5

Download Submit
C:\users\Public\del.bat

Filesize
115B

MD5
134fd21a4d44cc38e665bc1d961aa14f

SHA1
ef4230f0c538598d3dc43292c99be99a40a3e003

SHA256
0edc8669083b9db9177c1c1115c8f4e995b8b28d49cbbd37998c90da65c72abf

SHA512
e3833ef32519b57d258e6a7ed4a35fa2681fc9db81ad2e0b211022cf5c9e398dd70042dd470ed65c82cca3e88631796cd206ec872d8cb7921e3f3dfcf1242434

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads