4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda

Analysis

max time kernel
147s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe
Size

794KB
MD5

5493673b2d3895f8569fca5d9d310320
SHA1

bc422b3a44ff87b30e0a6d975bb59c30626c3bec
SHA256

4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda
SHA512

7a8a02cadbe92dca19aa7bf8e098267a8f8a0671f8270b093e917d47a3749486e20f0a94e6c7a3d65f8a910c0cad55bd23751a7e172714983039b0a6ddbbe7e9
SSDEEP

24576:71/aGLDCM4D8ayGMZwAB331LQPdgPKdUjdFHXAI:0D8ayGMZZFLqgPKdUjdFHX/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	sgqvi.exe

Loads dropped DLL 2 IoCs

pid	Process
748	4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe
748	4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\sgqvi.exe"	sgqvi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 980	748	4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe	27
PID 748 wrote to memory of 980	748	4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe	27
PID 748 wrote to memory of 980	748	4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe	27
PID 748 wrote to memory of 980	748	4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe	27

C:\Users\Admin\AppData\Local\Temp\4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe
"C:\Users\Admin\AppData\Local\Temp\4512974f4aa9eaeb817713d589cd7a93c32cf09febdab92c623f5144b0ca3dda.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748
- C:\ProgramData\sgqvi.exe
  "C:\ProgramData\sgqvi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
339KB

MD5
57af6c15b7a8e50a2ee29c1c364b80ee

SHA1
794f076f45f5a31fe4677f7c726e6160bfdfac7e

SHA256
39c65b1ab5ead696a5160ddd374e6736d4dd0be641732310e3432d6cfa4f46ec

SHA512
fe1ec6aca7e842f2c7e9397b86d6c53776f4c21d33a50e17a0ba891dc48819829f0f1330ca1cd3a18317e85a62e6a0e8aa130e9faed41ac62cfa58726a179f9c

Download Submit
C:\ProgramData\sgqvi.exe

Filesize
454KB

MD5
394983c6ef2b127fc78d1284ed7245ce

SHA1
8f0e225b85660c801d50987ecf597b49de44987d

SHA256
19063137a737378a4626e2ff1e450c1b9b26a3a823c0848b7e4feaaea55677a0

SHA512
fc147a54f4f6c5080b7638da4776d9c086187773251cc36f923024fb47b018d1e91effea6d70b2d67eb7a680907d7b867168418670a36040999aa512510ae490

Download Submit
C:\ProgramData\sgqvi.exe

Filesize
454KB

MD5
394983c6ef2b127fc78d1284ed7245ce

SHA1
8f0e225b85660c801d50987ecf597b49de44987d

SHA256
19063137a737378a4626e2ff1e450c1b9b26a3a823c0848b7e4feaaea55677a0

SHA512
fc147a54f4f6c5080b7638da4776d9c086187773251cc36f923024fb47b018d1e91effea6d70b2d67eb7a680907d7b867168418670a36040999aa512510ae490

Download Submit
\ProgramData\sgqvi.exe

Filesize
454KB

MD5
394983c6ef2b127fc78d1284ed7245ce

SHA1
8f0e225b85660c801d50987ecf597b49de44987d

SHA256
19063137a737378a4626e2ff1e450c1b9b26a3a823c0848b7e4feaaea55677a0

SHA512
fc147a54f4f6c5080b7638da4776d9c086187773251cc36f923024fb47b018d1e91effea6d70b2d67eb7a680907d7b867168418670a36040999aa512510ae490

Download Submit
\ProgramData\sgqvi.exe

Filesize
454KB

MD5
394983c6ef2b127fc78d1284ed7245ce

SHA1
8f0e225b85660c801d50987ecf597b49de44987d

SHA256
19063137a737378a4626e2ff1e450c1b9b26a3a823c0848b7e4feaaea55677a0

SHA512
fc147a54f4f6c5080b7638da4776d9c086187773251cc36f923024fb47b018d1e91effea6d70b2d67eb7a680907d7b867168418670a36040999aa512510ae490

Download Submit
memory/748-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/748-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/748-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download