07fca433b801c7ee5f36fdfd0ff4083b559a92c5f7329fca675bdda1f4da8fde

Analysis

max time kernel
85s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_4ca799a4e98c700e6703e755a36aa37f_7ev3n.exe
Size

388KB
MD5

4ca799a4e98c700e6703e755a36aa37f
SHA1

f6a45b2a05919a452804e231deee055955665ffb
SHA256

07fca433b801c7ee5f36fdfd0ff4083b559a92c5f7329fca675bdda1f4da8fde
SHA512

9b844a0cd0115d202a715b30a49aa76289d8c59ab3a13f8196e573b834c86c84e71a9c927a70ef9520c9c6c62dfb8910315b4b28e8d6bc5dccf0e24565c50f10
SSDEEP

6144:/aPIWVeTdJKsLxgcSNDQL5Q9VuwLmh9k2Hm71orVCvvI:/uTs1gBpQL5kmh9M71oJCo

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233e2-5.dat	UPX

Executes dropped EXE 1 IoCs

pid	Process
892	conlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 892	1224	2024-06-29_4ca799a4e98c700e6703e755a36aa37f_7ev3n.exe	80
PID 1224 wrote to memory of 892	1224	2024-06-29_4ca799a4e98c700e6703e755a36aa37f_7ev3n.exe	80
PID 1224 wrote to memory of 892	1224	2024-06-29_4ca799a4e98c700e6703e755a36aa37f_7ev3n.exe	80
PID 892 wrote to memory of 436	892	conlhost.exe	81
PID 892 wrote to memory of 436	892	conlhost.exe	81
PID 892 wrote to memory of 436	892	conlhost.exe	81
PID 892 wrote to memory of 2672	892	conlhost.exe	89
PID 892 wrote to memory of 2672	892	conlhost.exe	89
PID 892 wrote to memory of 2672	892	conlhost.exe	89
PID 892 wrote to memory of 3680	892	conlhost.exe	92
PID 892 wrote to memory of 3680	892	conlhost.exe	92
PID 892 wrote to memory of 3680	892	conlhost.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-06-29_4ca799a4e98c700e6703e755a36aa37f_7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_4ca799a4e98c700e6703e755a36aa37f_7ev3n.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\users\Public\del.bat
    3⤵
    PID:436
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2672
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\FILES_BACK.txt

Filesize
177B

MD5
fc605d0a0029f229d0ed645293ece316

SHA1
9ee4a83cd232b15790107ebbb98b4b515839f219

SHA256
a2a678d59020d212a1ec32810466b9a2bc4d17fcfff8edd6c07c5aa8ef15b25f

SHA512
2e43a1bbb43f9371cfcdcf550a205bb123a2facf17cbdd180591eb7a7c3ee75b5aae0a59654898814e4dee9d7bdf4ff3f6b50a37f0fbd5252865a23655b261e1

Download Submit
C:\Users\Public\conlhost.exe

Filesize
388KB

MD5
4ead7c70a14ec7261fd3f6f8d5a0d32c

SHA1
096e50500ec050934629cbb6fa28e36725a08f4a

SHA256
cb977f9cc83c5c06a582e57e5fe6aaeecd9b358c0dc1022b67e6c538ad90d02f

SHA512
d63d3c8a0b0745a5f7355a5cc83b7da8f31be6906e9e516722dcd8ac2e753bd86872fa1bbb12583ec5ec2298cef4d88600233519c9551b4182ab5ef89554d527

Download Submit
C:\users\Public\del.bat

Filesize
115B

MD5
0473d4830c5be5b3ce205e9cc6972657

SHA1
cab13fabcf7e907bee5c03c8a73e744e5c39b9ee

SHA256
77206bd86b35da01d8d1feee90ba84eae151c3417d77bbc8018c1ae1fa67a432

SHA512
7a5962eba1a847ae812ae836239cee9bb88a4109e99ebe31e08093ffebfc4a6e6e35f6d414668cc792af55da87f0e74c5affa5713a5af95991008886b776c295

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads