700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b.exe
Size

722KB
MD5

820dbd1a79cab2de3ee5a604227218b0
SHA1

115b79c1fab57263abe02286308655e30cbc7a75
SHA256

700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b
SHA512

7132fff56fde519358603a5dd799c521463bbf2aea30fb84c7f20ad2b11594a3f11deaf515a9f52d661695fa56ae7346a6b1db5a360555477cc3142ccb258db8
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0IZ7+8XX/im1GXp5ftORJG5ouL9QN6b4Z:P1/aGLDCM4D8ayGMMw8XX/im1GXed2gp

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1812	qjgfs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\qjgfs.exe"	qjgfs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1812	1380	700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b.exe	84
PID 1380 wrote to memory of 1812	1380	700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b.exe	84
PID 1380 wrote to memory of 1812	1380	700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b.exe	84

C:\Users\Admin\AppData\Local\Temp\700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b.exe
"C:\Users\Admin\AppData\Local\Temp\700ca72cca0e6fe2abab2250ea3da92d97b2f1e2580bb8cbf86591f51742442b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\ProgramData\qjgfs.exe
  "C:\ProgramData\qjgfs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
268KB

MD5
15cccb964efeeb58f9cd8ebf5757b3a1

SHA1
cda2c453e19b020166b7a89d4389d33300a7febb

SHA256
4dbb6abdd207bfb4d794a8305d28e352deb8281efe70e4365d05263f80c395a7

SHA512
b933d0a0ca1ea341d0ef24903b68f09115859515b1949be109f05b414a2656e16bba686edac405fc9174ddbbf0942abf8042707b82a7382782ca3b838f8628fa

Download Submit
C:\ProgramData\qjgfs.exe

Filesize
454KB

MD5
68dff3b3dcbf8aef61a200eae6eaa3b6

SHA1
c74a114895fbced5f8b023ec57dbc70d13f1c415

SHA256
05d0c6f75af834405ec488881caa02ce651a823f8cdd24b13216415b50df9b90

SHA512
1787d9d67468f7cdd577485d4e630e77c00a44d5146232454c24c21478dc4a92f86f957f5cc3f7e5bc87a8b062945f87f28bc450a3bf6876476587e038d4a068

Download Submit
C:\ProgramData\qjgfs.exe

Filesize
454KB

MD5
68dff3b3dcbf8aef61a200eae6eaa3b6

SHA1
c74a114895fbced5f8b023ec57dbc70d13f1c415

SHA256
05d0c6f75af834405ec488881caa02ce651a823f8cdd24b13216415b50df9b90

SHA512
1787d9d67468f7cdd577485d4e630e77c00a44d5146232454c24c21478dc4a92f86f957f5cc3f7e5bc87a8b062945f87f28bc450a3bf6876476587e038d4a068

Download Submit