3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153

Analysis

max time kernel
148s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe
Size

932KB
MD5

917917c7e74d4fadb834492c30981b30
SHA1

d8888eb5b5354d06ea398e74d38cadac0c6a50d0
SHA256

3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153
SHA512

55ee337f10e4e6f2243b70c3875364c4e9b314905eb103be1efe03fe87e4c7475deb4b30c174c827356d7b962ff6301a0ac4bb32d91e7189614a3c6cd893df2e
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSdmwPW5Qjp0Zt:71/aGLDCM4D8ayGMZo8/Cf5Qj+k/tur

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	catpmi.exe

Loads dropped DLL 2 IoCs

pid	Process
1592	3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe
1592	3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\catpmi.exe"	catpmi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 940	1592	3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe	27
PID 1592 wrote to memory of 940	1592	3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe	27
PID 1592 wrote to memory of 940	1592	3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe	27
PID 1592 wrote to memory of 940	1592	3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe	27

C:\Users\Admin\AppData\Local\Temp\3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe
"C:\Users\Admin\AppData\Local\Temp\3fdcdf440ee96f3b858f78b30a7f3344b679f1b333cfe5643d3a22cf6491a153.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592
- C:\ProgramData\catpmi.exe
  "C:\ProgramData\catpmi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
71e38cb8371fa644436922e0eee6040d

SHA1
6e9e897cb95fd8434891e87a584f5f1b9482cae2

SHA256
2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

SHA512
852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

Download Submit
C:\ProgramData\catpmi.exe

Filesize
454KB

MD5
c3bbaf87754019675200fd1301b37521

SHA1
db9ed41f3e8958826eecf93ff6116ad16d7f1126

SHA256
2f8e5128fc04cc810bba3485d7e4d1b0ef2e73e2699fb3e14cb80dd5f3d1f8e3

SHA512
af73457fddc9fac7dca8c53601b7cc31339f4146fea81fe1a89cd4a26c3f1cc8c2adcddc1eebca8bc7b27b135e94bc1e64fdc21c513370fdc71a2a8e5d7564c2

Download Submit
C:\ProgramData\catpmi.exe

Filesize
454KB

MD5
c3bbaf87754019675200fd1301b37521

SHA1
db9ed41f3e8958826eecf93ff6116ad16d7f1126

SHA256
2f8e5128fc04cc810bba3485d7e4d1b0ef2e73e2699fb3e14cb80dd5f3d1f8e3

SHA512
af73457fddc9fac7dca8c53601b7cc31339f4146fea81fe1a89cd4a26c3f1cc8c2adcddc1eebca8bc7b27b135e94bc1e64fdc21c513370fdc71a2a8e5d7564c2

Download Submit
\ProgramData\catpmi.exe

Filesize
454KB

MD5
c3bbaf87754019675200fd1301b37521

SHA1
db9ed41f3e8958826eecf93ff6116ad16d7f1126

SHA256
2f8e5128fc04cc810bba3485d7e4d1b0ef2e73e2699fb3e14cb80dd5f3d1f8e3

SHA512
af73457fddc9fac7dca8c53601b7cc31339f4146fea81fe1a89cd4a26c3f1cc8c2adcddc1eebca8bc7b27b135e94bc1e64fdc21c513370fdc71a2a8e5d7564c2

Download Submit
\ProgramData\catpmi.exe

Filesize
454KB

MD5
c3bbaf87754019675200fd1301b37521

SHA1
db9ed41f3e8958826eecf93ff6116ad16d7f1126

SHA256
2f8e5128fc04cc810bba3485d7e4d1b0ef2e73e2699fb3e14cb80dd5f3d1f8e3

SHA512
af73457fddc9fac7dca8c53601b7cc31339f4146fea81fe1a89cd4a26c3f1cc8c2adcddc1eebca8bc7b27b135e94bc1e64fdc21c513370fdc71a2a8e5d7564c2

Download Submit
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1592-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1592-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download