9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c

Analysis

max time kernel
149s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe
Size

724KB
MD5

a24b4f358a25648e135f1c94ecfdc6a0
SHA1

11d34c9a28e543c15303220c5f0e9555611e993a
SHA256

9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c
SHA512

723ef1da15038a6420f7200258959b0fd54502c0ba305aca3a66e68d941c8d245c9e0545223d05c421a836f0bd9bf87368e97b2434f83373d34bffd4551d49a3
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0diYiWy8CMzUO0J1IVuYXWQ/iehDLIxOF:71/aGLDCM4D8ayGMZ8WypuUF1YXWQ/lh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1152	lcejp.exe

Loads dropped DLL 2 IoCs

pid	Process
1492	9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe
1492	9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\lcejp.exe"	lcejp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1152	1492	9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe	27
PID 1492 wrote to memory of 1152	1492	9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe	27
PID 1492 wrote to memory of 1152	1492	9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe	27
PID 1492 wrote to memory of 1152	1492	9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe	27

C:\Users\Admin\AppData\Local\Temp\9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe
"C:\Users\Admin\AppData\Local\Temp\9990df334f6c2e969ea9ac295ba3692ef8e893ceebc45993c4b56c767c96323c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\ProgramData\lcejp.exe
  "C:\ProgramData\lcejp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\lcejp.exe

Filesize
454KB

MD5
536b23425cfbc3de1a4af537d284ea29

SHA1
be532fc2b479df3b133967459bd517a6ec9fd996

SHA256
36f40fa9f38ab150accb4c276e534f44123ce550147a5ffc13b917c0115d303a

SHA512
e336f5fb2bd91e38c59c7c8e0b504cec2948909e0879ca9d4b1475c76fee876408b69c6bc261ec02fad197dc7e872ec140c50043a7300456fe2ca34561750f49

Download Submit
C:\ProgramData\lcejp.exe

Filesize
454KB

MD5
536b23425cfbc3de1a4af537d284ea29

SHA1
be532fc2b479df3b133967459bd517a6ec9fd996

SHA256
36f40fa9f38ab150accb4c276e534f44123ce550147a5ffc13b917c0115d303a

SHA512
e336f5fb2bd91e38c59c7c8e0b504cec2948909e0879ca9d4b1475c76fee876408b69c6bc261ec02fad197dc7e872ec140c50043a7300456fe2ca34561750f49

Download Submit
\ProgramData\lcejp.exe

Filesize
454KB

MD5
536b23425cfbc3de1a4af537d284ea29

SHA1
be532fc2b479df3b133967459bd517a6ec9fd996

SHA256
36f40fa9f38ab150accb4c276e534f44123ce550147a5ffc13b917c0115d303a

SHA512
e336f5fb2bd91e38c59c7c8e0b504cec2948909e0879ca9d4b1475c76fee876408b69c6bc261ec02fad197dc7e872ec140c50043a7300456fe2ca34561750f49

Download Submit
\ProgramData\lcejp.exe

Filesize
454KB

MD5
536b23425cfbc3de1a4af537d284ea29

SHA1
be532fc2b479df3b133967459bd517a6ec9fd996

SHA256
36f40fa9f38ab150accb4c276e534f44123ce550147a5ffc13b917c0115d303a

SHA512
e336f5fb2bd91e38c59c7c8e0b504cec2948909e0879ca9d4b1475c76fee876408b69c6bc261ec02fad197dc7e872ec140c50043a7300456fe2ca34561750f49

Download Submit
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download