5c946780a5cab532e7c437b8b555456b319736e40b524446ce350efd29790f89

General

Target

2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe
Size

388KB
MD5

7460a359bf50d12d26232d79412a3eb7
SHA1

59ef372a1a44bea53474700ea1479d36e668b9a8
SHA256

5c946780a5cab532e7c437b8b555456b319736e40b524446ce350efd29790f89
SHA512

1b1fcf81f063f66e83fa699de374139c5e220d61062a337adb0280e901279c1278458102c38ebe04e9bc147e9a55cd87086dc31dd08da03d33cf0fb06c604b31
SSDEEP

6144:/aPIWVeTdJKsLxgcSNDQL5Q9VuwLmh0kdH371oHVCvvm:/uTs1gBpQL5kmh0671o1CG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2376	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	conlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe
2032	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper = "C:\\users\\Public\\conlhost.exe"	REG.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conlhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2620	2032	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe	32
PID 2032 wrote to memory of 2620	2032	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe	32
PID 2032 wrote to memory of 2620	2032	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe	32
PID 2032 wrote to memory of 2620	2032	2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe	32
PID 2620 wrote to memory of 2376	2620	conlhost.exe	33
PID 2620 wrote to memory of 2376	2620	conlhost.exe	33
PID 2620 wrote to memory of 2376	2620	conlhost.exe	33
PID 2620 wrote to memory of 2376	2620	conlhost.exe	33
PID 2620 wrote to memory of 2356	2620	conlhost.exe	36
PID 2620 wrote to memory of 2356	2620	conlhost.exe	36
PID 2620 wrote to memory of 2356	2620	conlhost.exe	36
PID 2620 wrote to memory of 2356	2620	conlhost.exe	36
PID 2620 wrote to memory of 2728	2620	conlhost.exe	39
PID 2620 wrote to memory of 2728	2620	conlhost.exe	39
PID 2620 wrote to memory of 2728	2620	conlhost.exe	39
PID 2620 wrote to memory of 2728	2620	conlhost.exe	39

C:\Users\Admin\AppData\Local\Temp\2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_7460a359bf50d12d26232d79412a3eb7_7ev3n.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\users\Public\conlhost.exe
  "C:\users\Public\conlhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\users\Public\del.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\FILES_BACK.txt

Filesize
215B

MD5
ad88f1fc00d22a7a401142e9b02d159d

SHA1
6eaaa383f2e04efc290f368b55a7323fdbe7b986

SHA256
a897b00e72bee37fff4d2f80786c00638c0e75bdc183817b624a8daae899a286

SHA512
318503eb1c4a842955fbb4b953b16857717ee0345dd17238cbc3ef0ffdfdf9e959468c8f0973a46e39b9e08a3e89ef1a7f2c6df91377f68b4d3e3520e321f966

Download Submit
C:\users\Public\del.bat

Filesize
115B

MD5
fe2a06d784fe2f25235373e73049b386

SHA1
b9a61457a8119dd9ebb449a3f114513a361d0eb2

SHA256
2ae1e4904dbe4f97f20a07ad3b44961a9beae8c92525f3da24e16fa662519058

SHA512
3f64d9f8ead2916e02a3db9baf345397972565bc4616968996f9c04515cd90b5550f09a66bf5b1928be6874dae1db0ba632e23e2ae8c51ffefadd9bfffce1f06

Download Submit
\Users\Public\conlhost.exe

Filesize
388KB

MD5
18643a9a18ee51febdff616ab9072d7c

SHA1
1240c1e4716d7cf6cc4ac37f7aec6b15fd7b845d

SHA256
1dc6bbf348071f817ffadc7f5c9907e96db25beb7ce19cd6da5309549d26fa14

SHA512
ecb123d3be558f6b5dc479b565b77339570f87c963db5b1334d7022436587e40c610e4bdebb1e7b3ebea588df54dcae1932ceb3eeaeac886f4f9be5494234697

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads