a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe
Size

32KB
MD5

e3887a49ae12f1a690f940c4979ce510
SHA1

59a668df20d164d49224ac6559bcd919d1dc0c2c
SHA256

a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426
SHA512

606f2703cf12655b40f19e54104c3e02aba3470c203f8d64fcc28085167033d1aa88bb2931e6b7f66861dc22fbdddfbc616362d84c1df97057c3b6a17ed60f68
SSDEEP

384:2beWu16rYfz9ysnZtHuJaEhD2hqG13STv731otWZZS5jJdRC:21UfZysnZQD28G1CTv7lotW6Xs

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\conime.exe asds"	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe

Executes dropped EXE 1 IoCs

pid	Process
3892	conime.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\conime.exe	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conime.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe
3496	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3892	3496	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe	82
PID 3496 wrote to memory of 3892	3496	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe	82
PID 3496 wrote to memory of 3892	3496	a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe	82

C:\Users\Admin\AppData\Local\Temp\a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe
"C:\Users\Admin\AppData\Local\Temp\a6ccdc568fa0e9b7aaae35c90b97c29916664b7450f0a175ca5b285fa546b426N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\conime.exe
  C:\Windows\conime.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\conime.exe

Filesize
20KB

MD5
c5c5b584e88bfd05c21bdf8d76a90904

SHA1
ca4ad23a657bcaa9c5e91fa3b86139781078f0ec

SHA256
f74342e34d65b421d5c040cdfed801f135549cc95613787af6a584d89b379706

SHA512
e915d449cccf9a9721aeafed73e98a8e2a433b097d89ad3e9f4051f7007d5e5b2544a47d7ebc9d3e30d951045730d9a433d0e0fee10a210a03050d1e7a73eaae

Download Submit