adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378

Analysis

max time kernel
163s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe
Size

722KB
MD5

a019a1c0cd17d4bfaec26b709dd3f280
SHA1

05481a0c23893812fcce0bbf5ccc5b8fe3f19060
SHA256

adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378
SHA512

89ea146390c87c19ebbe8cde5c398f2429bcd07fd99e76b28cb3517b89191614d6d17be215b1c57b569a3e3be277068e6f3259ba9696abd61c902089789b53b4
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0UNi6jLuKTcJ0J1+lyIlxJ7/VboW0mAjr:P1/aGLDCM4D8ayGMgA6jLuKQJ0J1+p7E

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1200	iqutwe.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe
1976	adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\iqutwe.exe"	iqutwe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1200	1976	adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe	28
PID 1976 wrote to memory of 1200	1976	adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe	28
PID 1976 wrote to memory of 1200	1976	adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe	28
PID 1976 wrote to memory of 1200	1976	adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe	28

C:\Users\Admin\AppData\Local\Temp\adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe
"C:\Users\Admin\AppData\Local\Temp\adb35039e395bf4e82e07eb8a94dd186dce1613a118e0da728f08985755f7378.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\ProgramData\iqutwe.exe
  "C:\ProgramData\iqutwe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
268KB

MD5
15cccb964efeeb58f9cd8ebf5757b3a1

SHA1
cda2c453e19b020166b7a89d4389d33300a7febb

SHA256
4dbb6abdd207bfb4d794a8305d28e352deb8281efe70e4365d05263f80c395a7

SHA512
b933d0a0ca1ea341d0ef24903b68f09115859515b1949be109f05b414a2656e16bba686edac405fc9174ddbbf0942abf8042707b82a7382782ca3b838f8628fa

Download Submit
C:\ProgramData\iqutwe.exe

Filesize
454KB

MD5
737c41d0a5d1f0f0c9657de5fb85ba7e

SHA1
53dd59e8863a460c4721e8d0855e6fc017487310

SHA256
6ddba8f431b2a2287489c26fb1ceb007e2c70d31b05fdc13a1c3d3f2bef7ee13

SHA512
68d378cc7196b9d5ee30818a530fc9029ff6e01695261eee9cc6679df9eb10550f38b920bb611dcd2d32746353f724490d68995775983ba27b90b7e3ae69dbae

Download Submit
C:\ProgramData\iqutwe.exe

Filesize
454KB

MD5
737c41d0a5d1f0f0c9657de5fb85ba7e

SHA1
53dd59e8863a460c4721e8d0855e6fc017487310

SHA256
6ddba8f431b2a2287489c26fb1ceb007e2c70d31b05fdc13a1c3d3f2bef7ee13

SHA512
68d378cc7196b9d5ee30818a530fc9029ff6e01695261eee9cc6679df9eb10550f38b920bb611dcd2d32746353f724490d68995775983ba27b90b7e3ae69dbae

Download Submit
\ProgramData\iqutwe.exe

Filesize
454KB

MD5
737c41d0a5d1f0f0c9657de5fb85ba7e

SHA1
53dd59e8863a460c4721e8d0855e6fc017487310

SHA256
6ddba8f431b2a2287489c26fb1ceb007e2c70d31b05fdc13a1c3d3f2bef7ee13

SHA512
68d378cc7196b9d5ee30818a530fc9029ff6e01695261eee9cc6679df9eb10550f38b920bb611dcd2d32746353f724490d68995775983ba27b90b7e3ae69dbae

Download Submit
\ProgramData\iqutwe.exe

Filesize
454KB

MD5
737c41d0a5d1f0f0c9657de5fb85ba7e

SHA1
53dd59e8863a460c4721e8d0855e6fc017487310

SHA256
6ddba8f431b2a2287489c26fb1ceb007e2c70d31b05fdc13a1c3d3f2bef7ee13

SHA512
68d378cc7196b9d5ee30818a530fc9029ff6e01695261eee9cc6679df9eb10550f38b920bb611dcd2d32746353f724490d68995775983ba27b90b7e3ae69dbae

Download Submit
memory/1976-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download