917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9

Analysis

max time kernel
171s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe
Size

724KB
MD5

a0b2c180524aa3d79d02b3d92e688770
SHA1

ec04a354b83a09eb65db557088e019e0768d41b2
SHA256

917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9
SHA512

e0c299032781467b4525f125df6593f9279da145639d7b603eb87b5cf61204846cf74c8d38a4f73729c23f70f5d165228288410c4e90d8c6475bd50ab2e68c06
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D02SsdQ7Gq12j7Jan:71/aGLDCM4D8ayGMSdQ0M

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1240	ftbheg.exe

Loads dropped DLL 2 IoCs

pid	Process
1032	917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe
1032	917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ftbheg.exe"	ftbheg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1240	1032	917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe	27
PID 1032 wrote to memory of 1240	1032	917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe	27
PID 1032 wrote to memory of 1240	1032	917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe	27
PID 1032 wrote to memory of 1240	1032	917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe	27

C:\Users\Admin\AppData\Local\Temp\917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe
"C:\Users\Admin\AppData\Local\Temp\917bf7efaae54c6f95b6139768be9e74fac5b45364f77c96c027b2420c9638b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\ProgramData\ftbheg.exe
  "C:\ProgramData\ftbheg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\ftbheg.exe

Filesize
454KB

MD5
b4836a736c6dca5b2b57de17463f8847

SHA1
519e8ed0327fc0a2ce63b59531ef5071450bec13

SHA256
1844f4eafca911aa5faf38d2617436c3a712f02c777597fc824c7415a8ad21e6

SHA512
50a3bab6bd257d9ab895a2e7b6177955d3f9e06199cb2f9c2962ba83c7356b25ba190293b1974633e45b42660fdd4d368f8cbce2836ff376556b3747006e30ef

Download Submit
C:\ProgramData\ftbheg.exe

Filesize
454KB

MD5
b4836a736c6dca5b2b57de17463f8847

SHA1
519e8ed0327fc0a2ce63b59531ef5071450bec13

SHA256
1844f4eafca911aa5faf38d2617436c3a712f02c777597fc824c7415a8ad21e6

SHA512
50a3bab6bd257d9ab895a2e7b6177955d3f9e06199cb2f9c2962ba83c7356b25ba190293b1974633e45b42660fdd4d368f8cbce2836ff376556b3747006e30ef

Download Submit
\ProgramData\ftbheg.exe

Filesize
454KB

MD5
b4836a736c6dca5b2b57de17463f8847

SHA1
519e8ed0327fc0a2ce63b59531ef5071450bec13

SHA256
1844f4eafca911aa5faf38d2617436c3a712f02c777597fc824c7415a8ad21e6

SHA512
50a3bab6bd257d9ab895a2e7b6177955d3f9e06199cb2f9c2962ba83c7356b25ba190293b1974633e45b42660fdd4d368f8cbce2836ff376556b3747006e30ef

Download Submit
\ProgramData\ftbheg.exe

Filesize
454KB

MD5
b4836a736c6dca5b2b57de17463f8847

SHA1
519e8ed0327fc0a2ce63b59531ef5071450bec13

SHA256
1844f4eafca911aa5faf38d2617436c3a712f02c777597fc824c7415a8ad21e6

SHA512
50a3bab6bd257d9ab895a2e7b6177955d3f9e06199cb2f9c2962ba83c7356b25ba190293b1974633e45b42660fdd4d368f8cbce2836ff376556b3747006e30ef

Download Submit
memory/1032-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1032-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1032-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download