78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904

Analysis

max time kernel
149s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe
Size

932KB
MD5

632f9d1b1cb373dba4cfdeba80a7f850
SHA1

7c41211269467fff63f47873784ae55c9afd3d42
SHA256

78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904
SHA512

e1be24129ddac4efa41669ef77d9d0df317b2299a7664d2d828716b65fe9f924e63580f1424617f05d50cf23d026fb4eefb9adeaa6e844f6fa990d5ce1f0732a
SSDEEP

24576:71/aGLDCM4D8ayGMZo8/5xN1NL/kLm9edGeakbTHN42EoNo9PFOt/:0D8ayGMZoExRjqV29Pm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	wvdwn.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe
2012	78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\wvdwn.exe"	wvdwn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1148	2012	78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe	27
PID 2012 wrote to memory of 1148	2012	78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe	27
PID 2012 wrote to memory of 1148	2012	78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe	27
PID 2012 wrote to memory of 1148	2012	78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe	27

C:\Users\Admin\AppData\Local\Temp\78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe
"C:\Users\Admin\AppData\Local\Temp\78441d7250773a7d00cae8bc60ee1a64b72cdf5cc0f552e87d4c5af7b26cc904.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\ProgramData\wvdwn.exe
  "C:\ProgramData\wvdwn.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
71e38cb8371fa644436922e0eee6040d

SHA1
6e9e897cb95fd8434891e87a584f5f1b9482cae2

SHA256
2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

SHA512
852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
71e38cb8371fa644436922e0eee6040d

SHA1
6e9e897cb95fd8434891e87a584f5f1b9482cae2

SHA256
2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

SHA512
852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

Download Submit
C:\ProgramData\wvdwn.exe

Filesize
454KB

MD5
b9954623faaee31b727f0847f27b1184

SHA1
abe8796cdde39813bd68fd3e522d2d50fde6cb86

SHA256
0a5ea1cbb1dc2361b12dfb715dbc2b72e1f55ad00316c36666c817e6ee1a189f

SHA512
5f5b7b09559423a33376baf2711b470934d966fdde1a897fd67bbe0adc01d23a2684b6057592596c8f0ca694f02915d76e7e4dd5f9b22d730c9934640cfe718c

Download Submit
C:\ProgramData\wvdwn.exe

Filesize
454KB

MD5
b9954623faaee31b727f0847f27b1184

SHA1
abe8796cdde39813bd68fd3e522d2d50fde6cb86

SHA256
0a5ea1cbb1dc2361b12dfb715dbc2b72e1f55ad00316c36666c817e6ee1a189f

SHA512
5f5b7b09559423a33376baf2711b470934d966fdde1a897fd67bbe0adc01d23a2684b6057592596c8f0ca694f02915d76e7e4dd5f9b22d730c9934640cfe718c

Download Submit
\ProgramData\wvdwn.exe

Filesize
454KB

MD5
b9954623faaee31b727f0847f27b1184

SHA1
abe8796cdde39813bd68fd3e522d2d50fde6cb86

SHA256
0a5ea1cbb1dc2361b12dfb715dbc2b72e1f55ad00316c36666c817e6ee1a189f

SHA512
5f5b7b09559423a33376baf2711b470934d966fdde1a897fd67bbe0adc01d23a2684b6057592596c8f0ca694f02915d76e7e4dd5f9b22d730c9934640cfe718c

Download Submit
\ProgramData\wvdwn.exe

Filesize
454KB

MD5
b9954623faaee31b727f0847f27b1184

SHA1
abe8796cdde39813bd68fd3e522d2d50fde6cb86

SHA256
0a5ea1cbb1dc2361b12dfb715dbc2b72e1f55ad00316c36666c817e6ee1a189f

SHA512
5f5b7b09559423a33376baf2711b470934d966fdde1a897fd67bbe0adc01d23a2684b6057592596c8f0ca694f02915d76e7e4dd5f9b22d730c9934640cfe718c

Download Submit
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2012-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download