b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811

Analysis

max time kernel
151s
max time network
68s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe
Size

722KB
MD5

3773a230d7609200e57550b14337a490
SHA1

c244536182d40b4a22f4505f99846f24e36d54d0
SHA256

b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811
SHA512

452a239a822314747fcb6d0e22c2e50c5c3e44e9d44caccb2dd75d59148ade90bde9057146af3bc85cbdee79abd92057d6b37fae5219c0900c4620ea5edebf9b
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0ZcZIE4B4j5QNcYaj96JYX6AKIGcbkExv:P1/aGLDCM4D8ayGMV0hzL6CvKIGOkExv

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1372	lxxxx.exe

Loads dropped DLL 2 IoCs

pid	Process
1376	b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe
1376	b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\lxxxx.exe"	lxxxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1372	1376	b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe	26
PID 1376 wrote to memory of 1372	1376	b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe	26
PID 1376 wrote to memory of 1372	1376	b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe	26
PID 1376 wrote to memory of 1372	1376	b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe	26

C:\Users\Admin\AppData\Local\Temp\b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe
"C:\Users\Admin\AppData\Local\Temp\b48dc16b39d399f4cd01434641fd5cdb421f879b03e915f80a25a307646e2811.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\ProgramData\lxxxx.exe
  "C:\ProgramData\lxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
268KB

MD5
15cccb964efeeb58f9cd8ebf5757b3a1

SHA1
cda2c453e19b020166b7a89d4389d33300a7febb

SHA256
4dbb6abdd207bfb4d794a8305d28e352deb8281efe70e4365d05263f80c395a7

SHA512
b933d0a0ca1ea341d0ef24903b68f09115859515b1949be109f05b414a2656e16bba686edac405fc9174ddbbf0942abf8042707b82a7382782ca3b838f8628fa

Download Submit
C:\ProgramData\lxxxx.exe

Filesize
454KB

MD5
a1a06c7e0b36be758be2679cd7b9bb11

SHA1
b1c1142d302103f517beaf2cf048bbe5f506de3a

SHA256
9b8e70ecfc8ee6fcd18770762d375701aeeb90ee31938ac4834e9aa0213e8343

SHA512
6ee61bbbd037d29d5acd9711806d17a9fb2b7f80068a002e2607e6b1d36b0ebb12da06d56f652999240a27e38b29bda6ad658e87fff2effe941278cf70d48b0d

Download Submit
C:\ProgramData\lxxxx.exe

Filesize
454KB

MD5
a1a06c7e0b36be758be2679cd7b9bb11

SHA1
b1c1142d302103f517beaf2cf048bbe5f506de3a

SHA256
9b8e70ecfc8ee6fcd18770762d375701aeeb90ee31938ac4834e9aa0213e8343

SHA512
6ee61bbbd037d29d5acd9711806d17a9fb2b7f80068a002e2607e6b1d36b0ebb12da06d56f652999240a27e38b29bda6ad658e87fff2effe941278cf70d48b0d

Download Submit
\ProgramData\lxxxx.exe

Filesize
454KB

MD5
a1a06c7e0b36be758be2679cd7b9bb11

SHA1
b1c1142d302103f517beaf2cf048bbe5f506de3a

SHA256
9b8e70ecfc8ee6fcd18770762d375701aeeb90ee31938ac4834e9aa0213e8343

SHA512
6ee61bbbd037d29d5acd9711806d17a9fb2b7f80068a002e2607e6b1d36b0ebb12da06d56f652999240a27e38b29bda6ad658e87fff2effe941278cf70d48b0d

Download Submit
\ProgramData\lxxxx.exe

Filesize
454KB

MD5
a1a06c7e0b36be758be2679cd7b9bb11

SHA1
b1c1142d302103f517beaf2cf048bbe5f506de3a

SHA256
9b8e70ecfc8ee6fcd18770762d375701aeeb90ee31938ac4834e9aa0213e8343

SHA512
6ee61bbbd037d29d5acd9711806d17a9fb2b7f80068a002e2607e6b1d36b0ebb12da06d56f652999240a27e38b29bda6ad658e87fff2effe941278cf70d48b0d

Download Submit
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download