9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd

Analysis

max time kernel
31s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe
Size

932KB
MD5

0f7bfe0b1d83928a4783c8073f91da70
SHA1

6f1d5c1fd1deed3986d9a80c1ca6277e74e29a79
SHA256

9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd
SHA512

adf931a777d9353fdf153ad49fe37f0f4a5e309016492cad1d6a6478e5cc720d440c1e86700a1bef26adcd028989ae44b61340fd1cf7a63856412d78c73f5508
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSdAunKMBlRP33:71/aGLDCM4D8ayGMZo8/EsKzpdM7j

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	kolva.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kolva.exe"	kolva.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1808	4948	9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe	60
PID 4948 wrote to memory of 1808	4948	9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe	60
PID 4948 wrote to memory of 1808	4948	9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe	60

C:\Users\Admin\AppData\Local\Temp\9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe
"C:\Users\Admin\AppData\Local\Temp\9d05e6cd8098cdc0a7c1910c2eebeadc3e7f81442bbb69ea41e03390a5e7c9fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\ProgramData\kolva.exe
  "C:\ProgramData\kolva.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
394KB

MD5
b33bdc899f9a976363a9ba342d7fe942

SHA1
fe8a7a50f71c08bfc8cd3c36e959e4885e893dbe

SHA256
dd93fd1c39fd7c65413d8a36219c41a495d33b2b382e03369784a1465d8274fe

SHA512
02fd04627557a23a8642f3df44fae04a609a617ec8602ea9976ad1739b18dc7197b55c849a453a4d2060824bc837154c219b435f19c66a6d1ec8ae2342fa5622

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
71e38cb8371fa644436922e0eee6040d

SHA1
6e9e897cb95fd8434891e87a584f5f1b9482cae2

SHA256
2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

SHA512
852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

Download Submit
C:\ProgramData\kolva.exe

Filesize
409KB

MD5
6f8afa4750430239aa7a34cb46c12b2b

SHA1
a58d0eaa1bb556bd1920e928ea4a27d24f1f9d44

SHA256
7aa5c3b1e603b055c0613c7d91344358da54bd4ffaac24510a83927f32b81c6a

SHA512
7ebbaadae6360db632504d96643a961e88516fa476cfc182aca9567325827174879fab64143573e296f091c2196835d7ec7694d8c7a4805f374baecb3303ab83

Download Submit
C:\ProgramData\kolva.exe

Filesize
454KB

MD5
cacfe159ab07a77ae67255517e5445f3

SHA1
22df11c2fe1e24561ac0bb909f5642cf67143661

SHA256
c0cd5222bebb00a1fa13b91519ae949669f63b228f5ec30e334239e522aed9ae

SHA512
d7aef2114a07b34784e89ebaa3b544150e907f9ed6be9ab20c9d329b7df932447dc20f9b465bee53823419f86208f3718460090444cb456247c2d6497bd90d68

Download Submit
memory/4948-132-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4948-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download